import { Request, Response, NextFunction } from 'express';
import jwt from 'jsonwebtoken';
import { Role } from '@prisma/client';
import { prisma } from '../models';

const JWT_SECRET = process.env.JWT_SECRET || 'dev-secret';

export interface JwtPayload {
  sub: string;
  email: string;
  role: Role;
}

export function signToken(userId: string, email: string, role: Role): string {
  const opts: jwt.SignOptions = { expiresIn: process.env.JWT_EXPIRY ?? '24h' };
  return jwt.sign({ sub: userId, email, role }, JWT_SECRET, opts);
}

export async function authMiddleware(req: Request, res: Response, next: NextFunction) {
  const header = req.headers.authorization;
  const token = header?.startsWith('Bearer ') ? header.slice(7) : null;
  if (!token) {
    res.status(401).json({ success: false, error: 'Unauthorized' });
    return;
  }
  try {
    const decoded = jwt.verify(token, JWT_SECRET) as JwtPayload;
    const user = await prisma.user.findUnique({ where: { id: decoded.sub } });
    if (!user) {
      res.status(401).json({ success: false, error: 'User not found' });
      return;
    }
    if (user.is_suspended) {
      res.status(403).json({ success: false, error: 'Account suspended' });
      return;
    }
    req.user = {
      id: user.id,
      email: user.email,
      full_name: user.full_name,
      role: user.role,
    };
    next();
  } catch {
    res.status(401).json({ success: false, error: 'Invalid token' });
  }
}