// ============================================================
// Elegant Work — Auth.js
// Token stored in localStorage (key: ew_token / ew_user)
// ============================================================

const Auth = (() => {
  const TOKEN_KEY = 'ew_token';
  const USER_KEY  = 'ew_user';
  const PERM_KEY  = 'ew_perms';

  let _currentUser = null;
  let _permissions = null;
  let _isAdmin     = false;

  function getToken()       { return localStorage.getItem(TOKEN_KEY); }
  function getCurrentUser() { return _currentUser; }

  function saveSession(token, user) {
    localStorage.setItem(TOKEN_KEY, token);
    localStorage.setItem(USER_KEY, JSON.stringify(user));
    _currentUser = user;
    _isAdmin     = parseInt(user.role_id) === 1;
  }

  function clearSession() {
    localStorage.removeItem(TOKEN_KEY);
    localStorage.removeItem(USER_KEY);
    localStorage.removeItem(PERM_KEY);
    _currentUser = null;
    _permissions = null;
    _isAdmin     = false;
  }

  function loadFromStorage() {
    const stored = localStorage.getItem(USER_KEY);
    if (stored) {
      try { _currentUser = JSON.parse(stored); } catch (_) {}
    }
    const storedPerms = localStorage.getItem(PERM_KEY);
    if (storedPerms) {
      try { _permissions = JSON.parse(storedPerms); } catch (_) {}
    }
    if (_currentUser) _isAdmin = parseInt(_currentUser.role_id) === 1;
    return !!getToken() && !!_currentUser;
  }

  async function loadPermissions() {
    try {
      const res = await API.post('roles/permissions', { action: 'get_my' });
      if (res.success) {
        _isAdmin = res.data.is_admin;
        const map = {};
        (res.data.permissions || []).forEach(p => {
          map[`${p.module}.${p.action}`] = !!parseInt(p.allowed);
        });
        _permissions = map;
        localStorage.setItem(PERM_KEY, JSON.stringify(map));
      }
    } catch (_) {}
  }

  // Check if current user can perform action on module
  // Admin always returns true
  function can(module, action) {
    if (_isAdmin) return true;
    if (!_permissions) return false;
    return !!_permissions[`${module}.${action}`];
  }

  async function login(username, password) {
    const res = await API.post('auth/login', { username, password });
    if (res.success) {
      saveSession(res.data.token, res.data.user);
      await loadPermissions();
    }
    return res;
  }

  async function logout() {
    const token = getToken();
    if (token) {
      try { await API.post('auth/logout', {}); } catch (_) {}
    }
    clearSession();
    Router.navigate('login');
  }

  function hasRole(...roleIds) {
    return _currentUser && roleIds.includes(parseInt(_currentUser.role_id));
  }

  function isAdmin()   { return _isAdmin; }
  function isDev()     { return hasRole(1, 2); }
  function isQA()      { return hasRole(1, 3); }
  function isTech()    { return hasRole(1, 4); }
  function isHR()      { return hasRole(1, 5); }

  function getUserInitials() {
    if (!_currentUser?.full_name) return '?';
    return _currentUser.full_name.split(' ').map(n => n[0]).join('').toUpperCase().slice(0, 2);
  }

  return {
    getToken, getCurrentUser, saveSession, clearSession, loadFromStorage,
    loadPermissions, login, logout,
    can, hasRole, isAdmin, isDev, isQA, isTech, isHR,
    getUserInitials
  };
})();