// server/auth/apiAuth.ts
import type { MiddlewareHandler } from "hono";
import type { ApiClientScope, ApiClientView } from "@shared/types.js";
import { authenticateApiToken, hasApiScope } from "../services/apiClients.js";

export interface ApiAuthVariables {
  apiClient: ApiClientView;
}

export function extractBearerToken(authorization: string | null | undefined): string | null {
  if (!authorization) return null;
  const match = /^Bearer\s+(.+)$/i.exec(authorization.trim());
  return match?.[1]?.trim() || null;
}

export function requireApiScope(required: ApiClientScope): MiddlewareHandler<{
  Variables: ApiAuthVariables;
}> {
  return async (c, next) => {
    const token = extractBearerToken(c.req.header("Authorization"));
    if (!token) return c.json({ error: "Token API manquant" }, 401);

    const client = authenticateApiToken(token);
    if (!client) return c.json({ error: "Token API invalide ou révoqué" }, 401);
    if (!hasApiScope(client.scopes, required)) {
      return c.json({ error: "Scope API insuffisant" }, 403);
    }

    c.set("apiClient", client);
    await next();
  };
}

export const apiAuthInternals = { extractBearerToken };