<?php

namespace App\Http\Middleware;

use App\Models\Tenant;
use App\Support\ApiError;
use Closure;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Laravel\Sanctum\PersonalAccessToken;
use Symfony\Component\HttpFoundation\Response;

class EnsureTenantAdminToken
{
    /**
     * Handle an incoming request.
     */
    public function handle(Request $request, Closure $next): JsonResponse|Response
    {
        $user = $request->user();

        if (! $user) {
            return $this->unauthorizedResponse('Unauthenticated request.');
        }

        $accessToken = $user->currentAccessToken();

        if (! $accessToken instanceof PersonalAccessToken) {
            return $this->unauthorizedResponse('Missing personal access token context.');
        }

        if (! in_array($user->role, ['tenant_admin', 'super_admin'], true)) {
            return $this->forbiddenResponse('Only tenant administrators may access this resource.');
        }

        if (! $accessToken->can('tenant-admin')) {
            return $this->forbiddenResponse('Access token does not include the tenant-admin ability.');
        }

        /** @var Tenant|null $tenant */
        $tenant = $user->tenant;

        if (! $tenant && $user->role === 'super_admin') {
            $requestedTenantId = $this->resolveRequestedTenantId($request);

            if ($requestedTenantId !== null) {
                $tenant = Tenant::query()->find($requestedTenantId);
            }
        }

        if (! $tenant && $user->role !== 'super_admin') {
            return $this->forbiddenResponse('Tenant context missing for user.');
        }

        if ($tenant) {
            $request->attributes->set('tenant_id', $tenant->id);
            $request->attributes->set('tenant', $tenant);
        } elseif ($user->role === 'super_admin') {
            $requestedTenantId = $this->resolveRequestedTenantId($request);
            if ($requestedTenantId !== null) {
                $request->attributes->set('tenant_id', $requestedTenantId);
            }
        }

        $request->attributes->set('sanctum_token_id', $accessToken->id);

        Auth::shouldUse('sanctum');

        return $next($request);
    }

    private function unauthorizedResponse(string $message): JsonResponse
    {
        return ApiError::response(
            'unauthenticated',
            'Unauthenticated',
            $message,
            Response::HTTP_UNAUTHORIZED
        );
    }

    private function forbiddenResponse(string $message): JsonResponse
    {
        return ApiError::response(
            'tenant_admin_only',
            'Forbidden',
            $message,
            Response::HTTP_FORBIDDEN
        );
    }

    private function resolveRequestedTenantId(Request $request): ?int
    {
        $routeTenant = $request->route('tenant');
        if (is_numeric($routeTenant)) {
            return (int) $routeTenant;
        }

        $queryTenant = $request->query('tenant_id');
        if (is_numeric($queryTenant)) {
            return (int) $queryTenant;
        }

        $headerTenant = $request->header('X-Tenant-ID');
        if (is_numeric($headerTenant)) {
            return (int) $headerTenant;
        }

        return null;
    }
}