<?php

namespace App\Http\Middleware;

use App\Support\ApiError;
use Closure;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Laravel\Sanctum\PersonalAccessToken;
use Symfony\Component\HttpFoundation\Response;

class EnsureSupportToken
{
    /**
     * Handle an incoming request.
     */
    public function handle(Request $request, Closure $next): JsonResponse|Response
    {
        $user = $request->user();

        if (! $user) {
            return $this->unauthorizedResponse('Unauthenticated request.');
        }

        $accessToken = $user->currentAccessToken();

        if (! $accessToken instanceof PersonalAccessToken) {
            return $this->unauthorizedResponse('Missing personal access token context.');
        }

        if (! $user->isSuperAdmin()) {
            return $this->forbiddenResponse('Only super administrators may access support APIs.');
        }

        if (! $accessToken->can('support-admin') && ! $accessToken->can('super-admin')) {
            return $this->forbiddenResponse('Access token does not include the support-admin ability.');
        }

        $request->attributes->set('support_token_id', $accessToken->id);

        Auth::shouldUse('sanctum');

        return $next($request);
    }

    private function unauthorizedResponse(string $message): JsonResponse
    {
        return ApiError::response(
            'unauthenticated',
            'Unauthenticated',
            $message,
            Response::HTTP_UNAUTHORIZED
        );
    }

    private function forbiddenResponse(string $message): JsonResponse
    {
        return ApiError::response(
            'support_forbidden',
            'Forbidden',
            $message,
            Response::HTTP_FORBIDDEN
        );
    }
}