import {
  CanActivate,
  ExecutionContext,
  ForbiddenException,
  Injectable,
} from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { UserRole } from '../constants/enums';
import { ROLES_KEY } from '../decorators/roles.decorator';
import type { JwtUserPayload } from '../../auth/jwt.types';
import { resolveStoredRole } from '../../users/user-api.mapper';

@Injectable()
export class RolesGuard implements CanActivate {
  constructor(private reflector: Reflector) {}

  canActivate(context: ExecutionContext): boolean {
    const required = this.reflector.getAllAndOverride<UserRole[]>(ROLES_KEY, [
      context.getHandler(),
      context.getClass(),
    ]);
    if (!required?.length) return true;
    const req = context.switchToHttp().getRequest<{ user: JwtUserPayload }>();
    const user = req.user;
    if (!user) throw new ForbiddenException();
    const role = resolveStoredRole(user.role);
    if (!required.includes(role)) {
      throw new ForbiddenException('Insufficient role');
    }
    return true;
  }
}