import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { RbacService } from '../rbac.service';
import { JwtService } from '@nestjs/jwt';

@Injectable()
export class RbacGuard implements CanActivate {
  constructor(
    private readonly reflector: Reflector,
    private readonly rbacService: RbacService,
    private readonly jwtService: JwtService,
  ) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const requiredPermissions = this.reflector.get<string[]>('permissions', context.getHandler());
    if (!requiredPermissions) {
      return true;
    }

    const { token } = context.switchToHttp().getRequest().headers;
    if (!token) {
      return false;
    }

    try {
      const decoded = this.jwtService.verify(token);
      const userId = decoded.sub;

      // Check if user has any of the required permissions
      const userPermissions = await this.rbacService.getUserPermissions(userId);
      return requiredPermissions.some(permission => userPermissions.includes(permission));
    } catch (error) {
      return false;
    }
  }
}