// src/server/auth.ts
import { prisma } from "@/server/db"
import { getSession } from "@/server/session"
import { UserRole } from "@prisma/client"

export type SessionUser = {
  id: string
  email: string
  name: string
  role: UserRole
  tenantId: string | null
  cnpj?: string | null
}

export function isStaff(role: UserRole) {
  return role === "ADMIN" || role === "SUPPORT"
}
 
export function isClient(role: UserRole) {
  return role === "CLIENT_ADMIN" || role === "CLIENT_VIEWER"
}

export async function requireUser(): Promise<SessionUser> {
  const session = await getSession()
  const user = session.user as SessionUser | undefined

  if (!user?.id) {
    throw new Error("UNAUTHORIZED")
  }

  return user
}

export async function requireTenantAccess(tenantId: string) {
  const user = await requireUser()

  if (isStaff(user.role)) {
    return user
  }

  if (!user.tenantId) {
    throw new Error("FORBIDDEN_NO_TENANT")
  }

  if (user.tenantId !== tenantId) {
    throw new Error("FORBIDDEN_TENANT")
  }

  return user
}

// Útil se você quiser sempre carregar o tenant do usuário logado
export async function getUserTenantOrThrow() {
  const user = await requireUser()
  if (isStaff(user.role)) return null
  if (!user.tenantId) throw new Error("FORBIDDEN_NO_TENANT")

  const tenant = await prisma.tenant.findUnique({ where: { id: user.tenantId } })
  if (!tenant) throw new Error("FORBIDDEN_NO_TENANT")

  return tenant
}

export async function requireTenantIdForClient() {
  const user = await requireUser()
  if (isStaff(user.role)) return null
  if (!user.tenantId) throw new Error("FORBIDDEN_NO_TENANT")
  return user.tenantId
}

export async function requireStaff() {
  const user = await requireUser()
  if (!isStaff(user.role)) throw new Error("FORBIDDEN")
  return user
}