import { NextResponse } from 'next/server';
import { withErrorHandler, RouteContext } from '@server/middleware/withErrorHandler';
import { withAuth, AuthedRequest, requireSection } from '@server/middleware/withAuth';
import { withValidationAuthed } from '@server/middleware/withValidation';
import { updateStaffSchema } from '@server/validators/staff.validator';
import { getStaffMember, updateStaffMember, deactivateStaffMember, deleteStaffMember } from '@server/services/staff.service';
import { ForbiddenError } from '@server/errors';

/**
 * Asserts that a branch-pinned caller is operating on a staff member that
 * belongs to their pinned branch. Owners (pinnedBranchId === null or undefined)
 * bypass this check and may access any branch within the restaurant.
 */
function assertBranchAccess(pinnedBranchId: string | null | undefined, memberBranchId: unknown): void {
  if (pinnedBranchId == null) return;
  if (memberBranchId !== pinnedBranchId) {
    throw new ForbiddenError('You do not have access to staff members in this branch');
  }
}

export const GET = withErrorHandler(
  withAuth(async (req: AuthedRequest, ctx: RouteContext) => {
    await requireSection(req, 'staff', 'read');

    const { id } = await ctx.params;
    const member = await getStaffMember(id, req.session.restaurantId!);

    assertBranchAccess(req.session.pinnedBranchId, (member as Record<string, unknown>).branch_id);

    return NextResponse.json({ staff: member });
  })
);

export const PATCH = withErrorHandler(
  withAuth(
    withValidationAuthed(updateStaffSchema, async (req, ctx: RouteContext) => {
      await requireSection(req, 'staff', 'update');

      const { id } = await ctx.params;
      const { pinnedBranchId, restaurantId } = req.session;

      // Fetch the target member first to enforce branch scope before mutating.
      const existing = await getStaffMember(id, restaurantId!);
      assertBranchAccess(pinnedBranchId, (existing as Record<string, unknown>).branch_id);

      const bodyData = req.parsedBody as Record<string, unknown>;

      if (bodyData.is_active === false) {
        const member = await deactivateStaffMember(id, restaurantId!);
        return NextResponse.json({ staff: member });
      }

      const member = await updateStaffMember(id, restaurantId!, bodyData);
      return NextResponse.json({ staff: member });
    })
  )
);

export const DELETE = withErrorHandler(
  withAuth(async (req: AuthedRequest, ctx: RouteContext) => {
    await requireSection(req, 'staff', 'delete');

    const { id } = await ctx.params;
    const { pinnedBranchId, restaurantId } = req.session;

    // Fetch the target member first to enforce branch scope before deleting.
    const existing = await getStaffMember(id, restaurantId!);
    assertBranchAccess(pinnedBranchId, (existing as Record<string, unknown>).branch_id);

    await deleteStaffMember(id, restaurantId!);
    return NextResponse.json({ success: true });
  })
);