package middleware

import (
	"net/http"
	"strings"

	"github.com/gin-gonic/gin"

	"github.com/dhao2001/mygo/internal/api"
	"github.com/dhao2001/mygo/internal/auth"
)

const userIDKey = "user_id"

// AuthRequired returns a Gin middleware that validates JWT access tokens.
// On success, it injects the user ID into the context via c.Get("user_id").
func AuthRequired(jwtSecret []byte) gin.HandlerFunc {
	return func(c *gin.Context) {
		header := c.GetHeader("Authorization")
		if header == "" {
			api.Error(c, http.StatusUnauthorized, "missing authorization header")
			c.Abort()
			return
		}

		parts := strings.SplitN(header, " ", 2)
		if len(parts) != 2 || !strings.EqualFold(parts[0], "bearer") {
			api.Error(c, http.StatusUnauthorized, "invalid authorization header format")
			c.Abort()
			return
		}

		claims, err := auth.ParseToken(parts[1], jwtSecret)
		if err != nil {
			api.Error(c, http.StatusUnauthorized, "invalid or expired token")
			c.Abort()
			return
		}

		if claims.Type != auth.TokenAccess {
			api.Error(c, http.StatusUnauthorized, "invalid token type")
			c.Abort()
			return
		}

		c.Set(userIDKey, claims.UserID)
		c.Next()
	}
}

// GetUserID extracts the user ID injected by AuthRequired.
func GetUserID(c *gin.Context) string {
	v, _ := c.Get(userIDKey)
	if v == nil {
		return ""
	}
	return v.(string)
}