<?php

namespace App\Support;

use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;

class SupportApiAuthorizer
{
    public static function authorizeResource(Request $request, string $resource, string $action): ?JsonResponse
    {
        $abilities = SupportApiRegistry::abilitiesFor($resource, $action);

        return self::authorizeAbilities($request, $abilities, $action);
    }

    /**
     * @param  array<int, string>  $abilities
     */
    public static function authorizeAbilities(Request $request, array $abilities, string $actionLabel = 'resource'): ?JsonResponse
    {
        if ($abilities === []) {
            return null;
        }

        $token = $request->user()?->currentAccessToken();

        if (! $token) {
            return ApiError::response(
                'unauthenticated',
                'Unauthenticated',
                'Missing access token for support request.',
                401
            );
        }

        foreach ($abilities as $ability) {
            if (! $token->can($ability)) {
                return ApiError::response(
                    'forbidden',
                    'Forbidden',
                    "Missing required ability for support {$actionLabel}.",
                    403,
                    ['required' => $abilities]
                );
            }
        }

        return null;
    }

    /**
     * @param  array<int, string>  $abilities
     */
    public static function authorizeAnyAbility(Request $request, array $abilities, string $actionLabel = 'resource'): ?JsonResponse
    {
        if ($abilities === []) {
            return null;
        }

        $token = $request->user()?->currentAccessToken();

        if (! $token) {
            return ApiError::response(
                'unauthenticated',
                'Unauthenticated',
                'Missing access token for support request.',
                401
            );
        }

        foreach ($abilities as $ability) {
            if ($token->can($ability)) {
                return null;
            }
        }

        return ApiError::response(
            'forbidden',
            'Forbidden',
            "Missing required ability for support {$actionLabel}.",
            403,
            ['required' => $abilities]
        );
    }
}