<?php

declare(strict_types=1);

namespace App\Module\Permissions\Middleware;

use App\Module\Permissions\Service\PermissionService;
use App\Shared\Http\JsonResponder;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Slim\Psr7\Response;

final class RequirePermission implements MiddlewareInterface
{
    public function __construct(
        private PermissionService $permissions,
        private string $permissionKey
    ) {
    }

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $user = $request->getAttribute('user');
        if (!is_array($user) || !isset($user['id'])) {
            return JsonResponder::withJson(new Response(), [
                'error' => 'auth_required',
                'message' => 'Authentifizierung erforderlich.'
            ], 401);
        }

        if (!$this->permissions->can((int)$user['id'], $this->permissionKey)) {
            return JsonResponder::withJson(new Response(), [
                'error' => 'forbidden',
                'message' => 'Keine Berechtigung für diese Aktion.',
                'permission' => $this->permissionKey,
            ], 403);
        }

        return $handler->handle($request);
    }

    public static function for(PermissionService $permissions, string $permissionKey): self
    {
        return new self($permissions, $permissionKey);
    }
}