package com.recipeapp.common;

import com.recipeapp.recipe.HouseholdResolver;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;

@Component
public class HouseholdRoleInterceptor implements HandlerInterceptor {

    private final HouseholdResolver householdResolver;

    public HouseholdRoleInterceptor(HouseholdResolver householdResolver) {
        this.householdResolver = householdResolver;
    }

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
        if (!(handler instanceof HandlerMethod handlerMethod)) {
            return true;
        }

        RequiresHouseholdRole annotation = handlerMethod.getMethodAnnotation(RequiresHouseholdRole.class);
        if (annotation == null) {
            return true;
        }

        var auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth == null) {
            throw new ForbiddenException("Not authenticated");
        }

        String actualRole = householdResolver.resolveRole(auth.getName());
        if (!annotation.value().equals(actualRole)) {
            throw new ForbiddenException("Insufficient permissions");
        }

        return true;
    }
}