// auth/otp-auth.guard.ts
import {
  CanActivate,
  ExecutionContext,
  Injectable,
  UnprocessableEntityException,
} from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';
import { InjectDataSource } from '@nestjs/typeorm';
import { validatePassword } from 'src/core/helpers/password/bcrypt.helpers';
import {
  CONNECTION_NAME,
  STATUS,
} from 'src/core/strings/constants/base.constants';
import { UserRole } from 'src/modules/user-related/user/constants';
import { UserModel } from 'src/modules/user-related/user/data/models/user.model';
import { DataSource, Not } from 'typeorm';

@Injectable()
export class OtpAuthGuard implements CanActivate {
  constructor(
    private readonly jwtService: JwtService,

    @InjectDataSource(CONNECTION_NAME.DEFAULT)
    protected readonly dataSource: DataSource,
  ) {}

  get userRepository() {
    return this.dataSource.getRepository(UserModel);
  }

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const request = context.switchToHttp().getRequest();
    const jwtAuth = request.headers['authorization'];
    const basicAuth = request.headers['x-basic-authorization'];

    // 1. Cek OTP Auth (basic_authorization header)
    if (basicAuth) {
      try {
        const decoded = Buffer.from(basicAuth, 'base64').toString('ascii');
        const [username, password] = decoded.split('|');

        const userLogin = await this.userRepository.findOne({
          where: {
            username: username,
            status: STATUS.ACTIVE,
            role: Not(UserRole.QUEUE_ADMIN),
          },
        });

        const valid = await validatePassword(password, userLogin?.password);

        if (userLogin && valid) {
          request.user = userLogin;
          return true;
        } else {
          throw new UnprocessableEntityException('Invalid OTP credentials');
        }
      } catch (err) {
        throw new UnprocessableEntityException('Invalid OTP encoding');
      }
    }

    // 2. Cek JWT (Authorization: Bearer <token>)
    if (jwtAuth && jwtAuth.startsWith('Bearer ')) {
      const token = jwtAuth.split(' ')[1];
      try {
        const payload = await this.jwtService.verifyAsync(token);
        request.user = payload;
        return true;
      } catch (err) {
        throw new UnprocessableEntityException('Invalid JWT token');
      }
    }

    throw new UnprocessableEntityException(
      'No valid authentication method found',
    );
  }
}