package auth

import (
	"strings"
	"time"

	"github.com/gin-gonic/gin"
	"github.com/golang-jwt/jwt/v5"
)

type JwtTokenGenerator struct {
	Key  string
	Issuer string
	Audience string
}

func NewJwtTokenGenerator(key string, issuer string, audience string) *JwtTokenGenerator {
	return &JwtTokenGenerator{
		Key: key,
		Issuer: issuer,
		Audience: audience,
	}
}

func (j *JwtTokenGenerator) GenerateToken(claims map[string]interface{}) (string, error) {
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
		"exp": time.Now().AddDate(0, 0, 3).Unix(),
		"iat": time.Now().Unix(),
		"iss": j.Issuer,
		"aud": j.Audience,
	})
	for k, v := range claims {
		token.Claims.(jwt.MapClaims)[k] = v
	}

	return token.SignedString([]byte(j.Key))
}

// Gin middleware
func (j *JwtTokenGenerator) GinMiddleware() gin.HandlerFunc {
	return func(c *gin.Context) {
		authHeader := c.GetHeader("Authorization")
		if authHeader == "" {
			c.AbortWithStatusJSON(401, gin.H{"error": "Unauthorized"})
			return
		}

		tokenString := strings.TrimPrefix(authHeader, "Bearer ")
		t, err := jwt.Parse(tokenString, func(t *jwt.Token) (interface{}, error) {
			if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
				return nil, jwt.ErrSignatureInvalid
			}
			return []byte(j.Key), nil
		})

		if err != nil {
			c.AbortWithStatusJSON(401, gin.H{"error": "Unauthorized"})
			return
		}

		claims, ok := t.Claims.(jwt.MapClaims)
		if !ok || claims["role"] != "admin" {
			c.AbortWithStatusJSON(401, gin.H{"error": "Unauthorized"})
			return
		}

		c.Next()
	}
}