using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using DysonNetwork.Shared.Services;
using MagicOnion;

namespace DysonNetwork.Sphere.Permission;

public class RequiredPermissionAttribute : TypeFilterAttribute
{
    public RequiredPermissionAttribute(string scope, string permission) : base(typeof(RequiredPermissionFilter))
    {
        Arguments = new object[] { scope, permission };
    }

    private class RequiredPermissionFilter : IAsyncActionFilter
    {
        private readonly IPermissionService _permissionService;
        private readonly string _scope;
        private readonly string _permission;

        public RequiredPermissionFilter(IPermissionService permissionService, string scope, string permission)
        {
            _permissionService = permissionService;
            _scope = scope;
            _permission = permission;
        }

        public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
        {
            // Assuming the actor is always "user:current" for client-side checks
            // You might need to adjust this based on how your client identifies itself
            var hasPermission = await _permissionService.CheckPermission(_scope, _permission);

            if (!hasPermission)
            {
                context.Result = new ForbidResult();
                return;
            }

            await next();
        }
    }
}