package authclient

import (
	"net/http"

	"git.threesix.ai/jordan/sp4-debug-1770477266/pkg/auth"
	"git.threesix.ai/jordan/sp4-debug-1770477266/pkg/httpresponse"
)

// Middleware validates tokens by calling auth-svc.
// Extracts the Bearer token from the Authorization header, calls auth-svc/validate,
// and stores the authenticated user in the request context.
func Middleware(client *Client) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			token := auth.ExtractBearerToken(r)
			if token == "" {
				httpresponse.Unauthorized(w, r, "missing authorization token")
				return
			}

			user, err := client.Validate(r.Context(), token)
			if err != nil {
				client.logger.Debug("token validation via auth-svc failed", "error", err)
				httpresponse.Unauthorized(w, r, "invalid token")
				return
			}

			ctx := auth.SetUser(r.Context(), user)
			ctx = auth.SetToken(ctx, token)
			next.ServeHTTP(w, r.WithContext(ctx))
		})
	}
}