<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class AdminTokenAuth
{
    public function handle(Request $request, Closure $next): Response
    {
        $configuredToken = (string) config('store.admin_token', env('STORE_ADMIN_TOKEN', ''));

        if ($configuredToken === '') {
            return response()->json([
                'code' => 500,
                'message' => 'admin token not configured',
                'data' => null,
            ], 500);
        }

        $incomingToken = $this->extractToken($request);
        if (!hash_equals($configuredToken, $incomingToken)) {
            return response()->json([
                'code' => 401,
                'message' => 'unauthorized',
                'data' => null,
            ], 401);
        }

        return $next($request);
    }

    private function extractToken(Request $request): string
    {
        $header = (string) $request->header('Authorization', '');
        if (preg_match('/^Bearer\s+(.+)$/i', $header, $matches)) {
            return trim($matches[1]);
        }

        return (string) ($request->header('X-Admin-Token')
            ?: $request->query('admin_token')
            ?: $request->input('admin_token', ''));
    }
}