/**
 * 管理员鉴权守卫
 * 
 * 功能描述：
 * - 保护后台管理接口
 * - 校验 Authorization: Bearer <admin_token>
 * - 仅允许 role=9 的管理员访问
 * 
 * @author jianuo
 * @version 1.0.0
 * @since 2025-12-19
 */

import { CanActivate, ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
import { Request } from 'express';
import { AdminCoreService, AdminAuthPayload } from '../../../core/admin_core/admin_core.service';

export interface AdminRequest extends Request {
  admin?: AdminAuthPayload;
}

@Injectable()
export class AdminGuard implements CanActivate {
  constructor(private readonly adminCoreService: AdminCoreService) {}

  canActivate(context: ExecutionContext): boolean {
    const req = context.switchToHttp().getRequest<AdminRequest>();
    const auth = req.headers['authorization'];

    if (!auth || Array.isArray(auth)) {
      throw new UnauthorizedException('缺少Authorization头');
    }

    const [scheme, token] = auth.split(' ');
    if (scheme !== 'Bearer' || !token) {
      throw new UnauthorizedException('Authorization格式错误');
    }

    const payload = this.adminCoreService.verifyToken(token);
    req.admin = payload;
    return true;
  }
}