const jwt = require('jsonwebtoken');
const db  = require('../config/db');

async function requireAuth(req, res, next) {
  const header = req.headers.authorization;
  if (!header?.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Authentication required' });
  }
  try {
    const payload = jwt.verify(header.slice(7), process.env.JWT_SECRET);

    // Confirm account is still active — catches deactivated tenants mid-session
    const client = await db.queryOne(
      'SELECT id, is_active FROM clients WHERE id = ? LIMIT 1',
      [payload.id]
    );
    if (!client || !client.is_active) {
      return res.status(401).json({ error: 'Account is inactive' });
    }

    req.client = payload;
    next();
  } catch {
    return res.status(401).json({ error: 'Invalid or expired token' });
  }
}

function requireAdmin(req, res, next) {
  const header = req.headers.authorization;
  if (!header?.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Admin authentication required' });
  }
  const token = header.slice(7);
  if (token === process.env.ADMIN_TOKEN) {
    req.isAdmin = true;
    return next();
  }
  return res.status(401).json({ error: 'Invalid admin token' });
}

function signToken(client) {
  return jwt.sign(
    { id: client.id, email: client.email, business_name: client.business_name },
    process.env.JWT_SECRET,
    { expiresIn: '30d' }
  );
}

module.exports = { requireAuth, requireAdmin, signToken };