package middleware

import (
	"net/http"
	"strings"
)

// AIAuthMiddleware validates Bearer token for AI agent access
func AIAuthMiddleware(validToken string) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			// Skip auth if no token configured
			if validToken == "" {
				respondError(w, http.StatusServiceUnavailable, "ai_disabled", "AI agent access not configured")
				return
			}

			authHeader := r.Header.Get("Authorization")

			if authHeader == "" {
				respondError(w, http.StatusUnauthorized, "unauthorized", "Missing Authorization header")
				return
			}

			if !strings.HasPrefix(authHeader, "Bearer ") {
				respondError(w, http.StatusUnauthorized, "unauthorized", "Invalid Authorization header format")
				return
			}

			token := strings.TrimPrefix(authHeader, "Bearer ")
			if token != validToken {
				respondError(w, http.StatusUnauthorized, "unauthorized", "Invalid or missing token")
				return
			}

			next.ServeHTTP(w, r)
		})
	}
}

// respondError sends a JSON error response
func respondError(w http.ResponseWriter, status int, error, message string) {
	w.Header().Set("Content-Type", "application/json")
	w.WriteHeader(status)
	w.Write([]byte(`{"error":"` + error + `","message":"` + message + `"}`))
}