<?php

namespace KTXC\Controllers;

use KTXC\Http\Response\JsonResponse;
use KTXC\Module\ModuleManager;
use KTXC\Security\Authorization\PermissionChecker;
use KTXC\Service\UserAccountsService;
use KTXC\SessionIdentity;
use KTXF\Controller\ControllerAbstract;
use KTXC\SessionTenant;
use KTXF\Module\ModuleBrowserInterface;
use KTXF\Routing\Attributes\AuthenticatedRoute;

class InitController extends ControllerAbstract
{
    public function __construct(
        private readonly SessionTenant $tenant,
        private readonly SessionIdentity $userIdentity,
        private readonly ModuleManager $moduleManager,
        private readonly UserAccountsService $userService,
        private readonly PermissionChecker $permissionChecker,
    ) {}

    #[AuthenticatedRoute('/init', name: 'init', methods: ['GET'])]
    public function index(): JsonResponse {
        
        $configuration = [];

        // modules - filter by permissions
        $configuration['modules'] = [];
        foreach ($this->moduleManager->list() as $module) {
            // Check if user has permission to view this module
            // Allow access if user has: {module_handle}, {module_handle}.*, or * permission
            $handle = $module->handle();
            if (!$this->hasModuleViewPermission($handle)) {
                continue;
            }

            $integrations = $module->registerBI();
            if ($integrations !== null) {
                $configuration['modules'][$handle] = $integrations;
            }
        }

        // tenant
        $configuration['tenant'] = [
            'id' => $this->tenant->identifier(),
            'domain' => $this->tenant->domain(),
            'label' => $this->tenant->label(),
        ];

        // user
        $configuration['user'] = [
            'auth' => [
                'identifier' => $this->userIdentity->identifier(),
                'identity' => $this->userIdentity->identity()->getIdentity(),
                'label' => $this->userIdentity->label(),
                'roles' => $this->userIdentity->identity()->getRoles(),
                'permissions' => $this->userIdentity->identity()->getPermissions(),
            ],
            'profile' => $this->userService->getEditableFields($this->userIdentity->identifier()),
            'settings' => $this->userService->fetchSettings(),
        ];

        return new JsonResponse($configuration);

    }

    /**
     * Check if user has permission to view a module
     * 
     * Checks for the following permissions (in order):
     * 1. {module_handle} - module access permission
     * 2. {module_handle}.* - wildcard for the module
     * 3. * - global wildcard
     * 
     * @param string $moduleHandle The module handle to check
     * @return bool
     */
    private function hasModuleViewPermission(string $moduleHandle): bool
    {
        // Core module is always accessible to authenticated users
        if ($moduleHandle === 'core') {
            return true;
        }
        
        // Check for specific module permission or wildcard permissions
        return $this->permissionChecker->canAny([
            "{$moduleHandle}",
            "{$moduleHandle}.*",
        ]);
    }

}