<?php

declare(strict_types=1);

namespace App\Http\Middleware;

use App\Constants\ErrorCode;
use App\Services\Auth\TokenService;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class ValidateAccessToken
{
    public function __construct(
        private readonly TokenService $tokenService
    ) {}

    public function handle(Request $request, Closure $next): Response
    {
        // 禁止访问管理员路由
        if (str_starts_with($request->path(), 'api/admin')) {
            return response()->json([
                'error' => ErrorCode::FORBIDDEN,
                'message' => '客户用户无权访问管理员资源。',
            ], Response::HTTP_FORBIDDEN);
        }

        $bearerToken = $request->bearerToken();

        if (!$bearerToken) {
            return response()->json([
                'error' => ErrorCode::UNAUTHORIZED,
                'message' => '未授权，令牌无效或未提供。',
            ], Response::HTTP_UNAUTHORIZED);
        }

        $tokenData = $this->tokenService->validateAccessToken($bearerToken);

        if (!$tokenData) {
            return response()->json([
                'error' => ErrorCode::UNAUTHORIZED,
                'message' => '访问令牌无效或已过期。',
            ], Response::HTTP_UNAUTHORIZED);
        }

        // Add client information to the request for later use
        $request->merge(['client_id' => $tokenData['client_id']]);

        return $next($request);
    }
}