<?php

namespace App\Http\Middleware;

use App\Services\Security\CaptchaVerifier;
use Closure;
use cPad\Plugins\Forum\Services\Security\ForumSecurityFirewallService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Validation\ValidationException;
use Symfony\Component\HttpFoundation\Response;

class ForumSecurityFirewallMiddleware
{
    public function __construct(
        private readonly ForumSecurityFirewallService $firewallService,
        private readonly CaptchaVerifier $captchaVerifier,
    ) {
    }

    public function handle(Request $request, Closure $next, string $action = 'generic'): Response|RedirectResponse|JsonResponse
    {
        $assessment = $this->firewallService->assess($request, $action);
        $request->attributes->set('forum_firewall_assessment', $assessment);

        if ($this->requiresCaptcha($assessment, $action)) {
            $captcha = $this->captchaVerifier->frontendConfig();
            $tokenInput = (string) ($captcha['inputName'] ?? $this->captchaVerifier->inputName());
            $token = (string) (
                $request->input($tokenInput)
                ?: $request->header('X-Captcha-Token', '')
                ?: $request->header('X-Turnstile-Token', '')
            );

            if (! $this->captchaVerifier->verify($token, $request->ip())) {
                $message = 'Additional verification is required before continuing.';

                if ($request->expectsJson()) {
                    return response()->json([
                        'message' => $message,
                        'errors' => [
                            'captcha' => [$message],
                        ],
                        'requires_captcha' => true,
                        'captcha' => $captcha,
                    ], 422);
                }

                return redirect()->back()
                    ->withInput($request->except(['password', 'current_password', 'new_password', 'new_password_confirmation', $tokenInput]))
                    ->withErrors(['captcha' => $message]);
            }

            $request->attributes->set('forum_firewall_captcha_verified', true);
        }

        if ((bool) ($assessment['blocked'] ?? false)) {
            $message = 'Security firewall blocked this request.';

            if ($request->expectsJson()) {
                return response()->json([
                    'message' => $message,
                    'errors' => [
                        'security' => [$message],
                    ],
                ], 429);
            }

            throw ValidationException::withMessages([
                'security' => [$message],
            ]);
        }

        return $next($request);
    }

    private function requiresCaptcha(array $assessment, string $action): bool
    {
        if (! $this->captchaVerifier->isEnabled()) {
            return false;
        }

        if (! (bool) ($assessment['requires_captcha'] ?? false)) {
            return false;
        }

        return in_array($action, (array) config('forum_bot_protection.captcha.actions', []), true);
    }
}