using System.Security.Claims;
using Campaign_Tracker.Server.Authentication;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;

namespace Campaign_Tracker.Server.Authorization;

public sealed class AuthorizationAuditResultHandler : IAuthorizationMiddlewareResultHandler
{
    private readonly AuthorizationMiddlewareResultHandler _defaultHandler = new();

    public async Task HandleAsync(
        RequestDelegate next,
        HttpContext context,
        AuthorizationPolicy policy,
        PolicyAuthorizationResult authorizeResult)
    {
        var auditStore = context.RequestServices.GetRequiredService<IAuthenticationAuditStore>();
        if (authorizeResult.Forbidden)
        {
            auditStore.RecordAuthorizationDenied(
                GetActor(context.User),
                context.Request.Path,
                context.TraceIdentifier);
        }
        else if (authorizeResult.Challenged)
        {
            auditStore.RecordAuthorizationDenied(
                "anonymous",
                context.Request.Path,
                context.TraceIdentifier);
        }
        else if (authorizeResult.Succeeded)
        {
            auditStore.RecordAuthorizationAllowed(
                GetActor(context.User),
                context.Request.Path,
                context.TraceIdentifier);
        }

        await _defaultHandler.HandleAsync(next, context, policy, authorizeResult);
    }

    private static string GetActor(ClaimsPrincipal user)
    {
        return user.Identity?.Name ??
               user.FindFirstValue(ClaimTypes.NameIdentifier) ??
               "unknown";
    }
}