<?php
declare(strict_types=1);

namespace app\api\middleware;

use app\api\cache\AuthTokenCache;
use app\api\util\ReturnCode;
use plugin\saiadmin\app\model\system\SystemUser;
use plugin\saiadmin\exception\ApiException;
use Tinywan\Jwt\JwtToken;
use Tinywan\Jwt\Exception\JwtTokenException;
use Tinywan\Jwt\Exception\JwtTokenExpiredException;
use Webman\Http\Request;
use Webman\Http\Response;
use Webman\MiddlewareInterface;

/**
 * 校验 auth-token 请求头（JWT）
 * 用于 /api/v1/* 接口（除 /api/v1/authtoken 外）
 * 请求头需携带 auth-token，通过后注入 request->agent_id
 */
class AuthTokenMiddleware implements MiddlewareInterface
{
    public function process(Request $request, callable $handler): Response
    {
        $token = $request->header('auth-token');
        $token = $token !== null ? trim((string) $token) : '';
        if ($token === '') {
            throw new ApiException('Please provide auth-token', ReturnCode::UNAUTHORIZED);
        }

        try {
            $decoded = JwtToken::verify(1, $token);
        } catch (JwtTokenExpiredException $e) {
            throw new ApiException('auth-token expired', ReturnCode::TOKEN_INVALID);
        } catch (JwtTokenException $e) {
            throw new ApiException('auth-token invalid', ReturnCode::TOKEN_INVALID);
        } catch (\Throwable $e) {
            throw new ApiException('auth-token format invalid', ReturnCode::TOKEN_INVALID);
        }

        $extend = $decoded['extend'] ?? [];
        if ((string) ($extend['plat'] ?? '') !== 'api_auth_token') {
            throw new ApiException('auth-token invalid', ReturnCode::TOKEN_INVALID);
        }
        $agentId = trim((string) ($extend['agent_id'] ?? ''));
        if ($agentId === '') {
            throw new ApiException('auth-token invalid', ReturnCode::TOKEN_INVALID);
        }

        // 单次 Redis：token → agent_id，与 JWT 内 agent_id 一致即有效（减少一次按 agent 取当前 token 的往返）
        $agentIdFromStore = AuthTokenCache::getAgentIdByToken($token);
        if ($agentIdFromStore === null || $agentIdFromStore !== $agentId) {
            throw new ApiException('auth-token invalid or expired', ReturnCode::TOKEN_INVALID);
        }

        $agent = SystemUser::where('agent_id', $agentId)->find();
        if (!$agent || (int) ($agent->status ?? 0) !== 1) {
            throw new ApiException('Invalid agent_id', ReturnCode::FORBIDDEN);
        }
        if (empty($agent->dept_id) || (int) $agent->dept_id <= 0) {
            throw new ApiException('Agent channel is not configured', ReturnCode::FORBIDDEN);
        }

        $request->agent_id = $agentId;
        $request->agent_admin_id = (int) $agent->id;
        $request->agent_dept_id = (int) $agent->dept_id;
        return $handler($request);
    }
}