import { Injectable, UnauthorizedException } from '@nestjs/common';
import { ConfigService } from '@nestjs/config';
import { PassportStrategy } from '@nestjs/passport';
import { ExtractJwt, Strategy } from 'passport-jwt';
import type { Request } from 'express';
import { UserStatus } from '../../common/constants/enums';
import { UsersService } from '../../users/users.service';
import type { JwtUserPayload } from '../jwt.types';
import { resolveJwtAccessSecret } from '../../config/runtime-config';
import { docId } from '../../common/utils/mongo.util';
import { resolveStoredRole } from '../../users/user-api.mapper';

function jwtFromRequest(req: Request): string | null {
  const fromAuth = ExtractJwt.fromAuthHeaderAsBearerToken()(req);
  if (fromAuth) return fromAuth;
  const x = req.headers['x-access-token'];
  if (typeof x === 'string' && x.trim()) return x.trim();
  if (Array.isArray(x) && x[0]) return String(x[0]).trim();
  return null;
}

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
  constructor(
    config: ConfigService,
    private readonly users: UsersService,
  ) {
    super({
      jwtFromRequest,
      ignoreExpiration: false,
      secretOrKey: resolveJwtAccessSecret(config),
    });
  }

  async validate(payload: JwtUserPayload): Promise<JwtUserPayload> {
    let user = await this.users.findById(payload.sub);
    if (!user && payload.uid) {
      user = await this.users.findByUid(payload.uid);
    }
    if (!user || user.status === UserStatus.INACTIVE) {
      throw new UnauthorizedException();
    }
    const role = resolveStoredRole(user.role);
    if (role !== user.role) {
      await this.users.syncUserRole(user.uid, role);
    }
    return {
      sub: docId(user),
      uid: user.uid,
      email: user.email,
      role,
      deviceId: user.deviceId,
    };
  }
}