<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class SiteWeaverAuth
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next, ...$permissions): Response
    {
        if (! $request->user()) {
            return $request->expectsJson()
                ? response()->json(['message' => 'Unauthenticated.'], 401)
                : redirect()->route('login');
        }

        // Check for 2FA requirement
        if ($request->user()->two_factor_secret &&
            ! $request->session()->has('auth.two_factor_confirmed_at') &&
            ! $request->routeIs('two-factor.login')) {
            return $request->expectsJson()
                ? response()->json(['message' => 'Two factor challenge required.', 'redirect' => route('two-factor.login')], 403)
                : redirect()->route('two-factor.login');
        }

        // Hard-coded bypass for the 'admin' role
        if ($request->user()->hasRole('admin')) {
            return $next($request);
        }

        if (empty($permissions)) {
            return $next($request);
        }

        foreach ($permissions as $permission) {
            // Support 'can:slug' prefix
            if (str_starts_with($permission, 'can:')) {
                $permission = substr($permission, 4);
            }

            if ($request->user()->hasPermission($permission)) {
                return $next($request);
            }
        }

        return $request->expectsJson()
            ? response()->json(['message' => 'Unauthorized.'], 403)
            : abort(403, 'Unauthorized access.');
    }
}