<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;

class TenantIsolation
{
    /**
     * Handle an incoming request.
     */
    public function handle(Request $request, Closure $next)
    {
        $tenantId = $request->attributes->get('tenant_id');

        if (!$tenantId) {
            return response()->json(['error' => 'Tenant ID not found in token'], 401);
        }

        // Get the tenant from request (query param, route param, or header)
        $requestTenantId = $this->getTenantIdFromRequest($request);

        if ($requestTenantId && $requestTenantId != $tenantId) {
            return response()->json(['error' => 'Tenant isolation violation'], 403);
        }

        // Set tenant context for query scoping
        DB::statement("SET @tenant_id = ?", [$tenantId]);
        
        // Add tenant context to request for easy access in controllers
        $request->attributes->set('current_tenant_id', $tenantId);

        return $next($request);
    }

    /**
     * Extract tenant ID from request
     */
    private function getTenantIdFromRequest(Request $request): ?int
    {
        // 1. Route parameter (e.g., /api/v1/tenant/123/events)
        if ($request->route('tenant')) {
            return (int) $request->route('tenant');
        }

        // 2. Query parameter (e.g., ?tenant_id=123)
        if ($request->query('tenant_id')) {
            return (int) $request->query('tenant_id');
        }

        // 3. Header (X-Tenant-ID)
        if ($request->header('X-Tenant-ID')) {
            return (int) $request->header('X-Tenant-ID');
        }

        // 4. For tenant-specific resources, use token tenant_id
        return null;
    }
}