package auth

import (
    "database/sql"
    "net/http"
    "strings"

    "github.com/appwrite/sdk-for-go/client"
    "github.com/appwrite/sdk-for-go/users"
    "github.com/gin-gonic/gin"
)

type MyUser struct {
    ID   string
    Role string
}

type AuthProvider struct {
    AppwriteClient client.Client
    DB             *sql.DB
}

func (p *AuthProvider) ValidateSession() gin.HandlerFunc {
    return func(c *gin.Context) {
        tokenHeader := c.GetHeader("Authorization")
        token := strings.TrimSpace(strings.TrimPrefix(tokenHeader, "Bearer"))
        if token == "" {
            c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Token ausente"})
            return
        }

        p.AppwriteClient.SetJWT(token)
        appwriteUsers := users.New(p.AppwriteClient)
        remoteUser, err := appwriteUsers.Get()
        if err != nil {
            c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "Sessão inválida no IDP"})
            return
        }

        var userLocal MyUser
        err = p.DB.QueryRow(
            "SELECT id, role FROM users WHERE appwrite_id = $1",
            remoteUser.Id,
        ).Scan(&userLocal.ID, &userLocal.Role)

        if err == sql.ErrNoRows {
            err = p.DB.QueryRow(
                "INSERT INTO users (appwrite_id, email, full_name) VALUES ($1, $2, $3) RETURNING id, role",
                remoteUser.Id,
                remoteUser.Email,
                remoteUser.Name,
            ).Scan(&userLocal.ID, &userLocal.Role)
        }

        if err != nil {
            c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "Erro ao sincronizar usuário"})
            return
        }

        c.Set("user_id", userLocal.ID)
        c.Set("user_role", userLocal.Role)
        c.Next()
    }
}