const jwt = require('jsonwebtoken');
const asyncHandler = require('express-async-handler');
const User = require('../models/User');

// 保护路由 - 验证 JWT Token
const protect = asyncHandler(async (req, res, next) => {
  let token;

  // 从 Authorization 头获取 token
  if (req.headers.authorization && req.headers.authorization.startsWith('Bearer')) {
    try {
      // 获取 token
      token = req.headers.authorization.split(' ')[1];

      // 验证 token
      const decoded = jwt.verify(token, process.env.JWT_SECRET);

      // 获取用户并添加到请求对象中，不包含密码
      req.user = await User.findById(decoded.id).select('-password');

      if (!req.user) {
        res.status(401);
        throw new Error('未授权，用户不存在');
      }

      next();
    } catch (error) {
      res.status(401);
      throw new Error('未授权，token 无效');
    }
  }

  if (!token) {
    res.status(401);
    throw new Error('未授权，未提供 token');
  }
});

// 限制仅管理员访问
const admin = (req, res, next) => {
  if (req.user && req.user.isAdmin) {
    next();
  } else {
    res.status(403);
    throw new Error('未授权，仅管理员可访问');
  }
};

module.exports = { protect, admin };