import {
  CanActivate,
  ExecutionContext,
  Injectable,
  UnauthorizedException,
} from '@nestjs/common';
import { InjectRepository } from '@nestjs/typeorm';
import { Repository } from 'typeorm';
import { ApiKey } from '../../../entities/api-key.entity';
import { User } from '../../../entities/user.entity';

@Injectable()
export class ApiKeyAuthGuard implements CanActivate {
  constructor(
    @InjectRepository(ApiKey)
    private readonly apiKeyRepo: Repository<ApiKey>,
    @InjectRepository(User)
    private readonly userRepo: Repository<User>,
  ) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const request = context.switchToHttp().getRequest();
    const header = request.headers['x-api-key'] as string | undefined;
    if (!header) {
      throw new UnauthorizedException('Missing X-API-Key header');
    }

    const apiKey = await this.apiKeyRepo.findOne({
      where: { key: header, isActive: true },
    });
    if (!apiKey) {
      throw new UnauthorizedException('Invalid or revoked API key');
    }

    const user = await this.userRepo.findOne({ where: { id: apiKey.userId } });
    if (!user || !user.isActive) {
      throw new UnauthorizedException('API key owner account is deactivated');
    }

    apiKey.lastUsedAt = new Date();
    await this.apiKeyRepo.save(apiKey);

    request.user = user;
    return true;
  }
}