package middleware

import (
	"net/http"
	"strings"

	"github.com/gin-gonic/gin"

	"gitea.kmux.cn/zhilv/scriptforge/internal/auth"
)

func JWTAuth(authSvc *auth.AuthService) gin.HandlerFunc {
	return func(c *gin.Context) {
		tokenStr := ""

		// Check Authorization header
		authHeader := c.GetHeader("Authorization")
		if strings.HasPrefix(authHeader, "Bearer ") {
			tokenStr = strings.TrimPrefix(authHeader, "Bearer ")
		}

		// Also check query param for convenience
		if tokenStr == "" {
			tokenStr = c.Query("token")
		}

		if tokenStr == "" {
			c.Next() // No token, proceed as anonymous
			return
		}

		claims, err := authSvc.ParseToken(tokenStr)
		if err != nil {
			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
			return
		}

		c.Set("user_id", claims.UserID)
		c.Set("username", claims.Username)
		c.Set("role", claims.Role)
		c.Next()
	}
}

func AdminOnly(authSvc *auth.AuthService) gin.HandlerFunc {
	return func(c *gin.Context) {
		role, exists := c.Get("role")
		if !exists || role != "admin" {
			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "admin only"})
			return
		}
		c.Next()
	}
}