import { GraphQLError } from "graphql";
import type { User, UserRole } from "../types/user.js";
import { UserRole as UserRoleEnum } from "../types/user.js";

/**
 * Authorization-Fehler
 */
export class AuthorizationError extends GraphQLError {
  constructor(message: string) {
    super(message, {
      extensions: {
        code: "UNAUTHORIZED",
      },
    });
  }
}

/**
 * Prüft ob User authentifiziert ist
 */
export function requireAuth(user: User | null): User {
  if (!user) {
    throw new AuthorizationError("Authentifizierung erforderlich");
  }
  return user;
}

/**
 * Prüft ob User eine bestimmte Rolle hat
 */
export function requireRole(
  user: User | null,
  requiredRoles: UserRole[]
): User {
  const authenticatedUser = requireAuth(user);

  if (!requiredRoles.includes(authenticatedUser.role)) {
    throw new AuthorizationError(
      `Zugriff verweigert. Erforderliche Rollen: ${requiredRoles.join(", ")}`
    );
  }

  return authenticatedUser;
}

/**
 * Prüft ob User Admin ist
 */
export function requireAdmin(user: User | null): User {
  return requireRole(user, [UserRoleEnum.ADMIN]);
}

/**
 * Prüft ob User Customer oder Admin ist
 */
export function requireCustomer(user: User | null): User {
  return requireRole(user, [UserRoleEnum.CUSTOMER, UserRoleEnum.ADMIN]);
}