<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class EnsureOnboardingComplete
{
    /**
     * Paths that must always be reachable regardless of onboarding state,
     * so authenticated users can log out, complete OAuth flows, etc.
     */
    private const ALWAYS_ALLOW = [
        'logout',
        'auth/*',           // OAuth redirects & callbacks
        'verify/*',         // email verification links
        'setup/*',          // all /setup/* pages (password, username)
        'up',               // health check
    ];

    public function handle(Request $request, Closure $next): Response
    {
        $user = $request->user();
        if (! $user) {
            return $next($request);
        }

        $step = strtolower((string) ($user->onboarding_step ?? ''));
        if ($step === 'complete') {
            return $next($request);
        }

        // Always allow critical auth / setup paths through.
        if ($request->is(self::ALWAYS_ALLOW)) {
            return $next($request);
        }

        $target = match ($step) {
            'email'                   => '/login',
            'verified'                => '/setup/password',
            'password', 'username'    => '/setup/username',
            default                   => '/setup/password',
        };

        return redirect($target);
    }
}