package middleware

import (
	"context"
	"net/http"
	"strings"

	"cmr-backend/internal/apperr"
	"cmr-backend/internal/httpx"
	"cmr-backend/internal/platform/jwtx"
)

type authContextKey string

const authKey authContextKey = "auth"

type AuthContext struct {
	UserID       string
	UserPublicID string
	RoleCode     string
}

func NewAuthMiddleware(jwtManager *jwtx.Manager) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			authHeader := strings.TrimSpace(r.Header.Get("Authorization"))
			if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {
				httpx.WriteError(w, apperr.New(http.StatusUnauthorized, "unauthorized", "missing bearer token"))
				return
			}

			token := strings.TrimSpace(strings.TrimPrefix(authHeader, "Bearer "))
			claims, err := jwtManager.ParseAccessToken(token)
			if err != nil {
				httpx.WriteError(w, apperr.New(http.StatusUnauthorized, "invalid_token", "invalid access token"))
				return
			}
			if claims.ActorType != "" && claims.ActorType != "user" {
				httpx.WriteError(w, apperr.New(http.StatusUnauthorized, "invalid_token", "invalid access token"))
				return
			}

			ctx := context.WithValue(r.Context(), authKey, &AuthContext{
				UserID:       claims.UserID,
				UserPublicID: claims.UserPublicID,
				RoleCode:     claims.RoleCode,
			})
			next.ServeHTTP(w, r.WithContext(ctx))
		})
	}
}

func GetAuthContext(ctx context.Context) *AuthContext {
	auth, _ := ctx.Value(authKey).(*AuthContext)
	return auth
}