import {
  Injectable,
  CanActivate,
  ExecutionContext,
  ForbiddenException,
} from "@nestjs/common"
import { Reflector } from "@nestjs/core"
import { verifyJwtToken } from "../../utils/jwt"
import { RolePermissionsService } from "../../modules/role-permissions/role-permissions.service"

@Injectable()
export class PermissionGuard implements CanActivate {
  constructor(
    private reflector: Reflector,
    private rolePermissionsService: RolePermissionsService,
  ) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const requiredPermissions = this.reflector.getAllAndOverride<string[]>(
      "permissions",
      [context.getHandler(), context.getClass()],
    )

    if (!requiredPermissions) {
      return true // No permissions required
    }

    const request = context.switchToHttp().getRequest()
    const token = request.headers.authorization

    if (!token) {
      throw new ForbiddenException("No authorization token provided")
    }

    const decoded = verifyJwtToken(token)
    if (!decoded || !decoded.role_id || !decoded.company_id) {
      throw new ForbiddenException("Invalid token or missing role information")
    }

    // Get user permissions
    // const userPermissions =
    //   await this.rolePermissionsService.getUserPermissions(
    //     decoded.role_id,
    //     decoded.company_id,
    //   )

    // // Check if user has all required permissions
    // const hasPermission = requiredPermissions.every((permission) =>
    //   userPermissions.includes(permission),
    // )

    // if (!hasPermission) {
    //   throw new ForbiddenException("Insufficient permissions")
    // }

    return true
  }
}