<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Notification;
use App\Notifications\AdminAccessNotification;
use Illuminate\Notifications\AnonymousNotifiable;

class Admin
{
    /**
     * Ensure the authenticated user is an admin (role == 0).
     */
    public function handle(Request $request, Closure $next): Response
    {
        if (!Auth::check() || !Auth::user()->isAdmin()) {
            abort(403, 'Unauthorized');
        }

        // Notify admin email of access — throttled to once per 15 minutes per user+IP
        $adminEmail = config('app.admin_notify_email');
        if ($adminEmail) {
            $cacheKey = 'admin_notify:' . Auth::id() . ':' . $request->ip();
            if (!Cache::has($cacheKey)) {
                Notification::route('mail', $adminEmail)->notify(
                    new AdminAccessNotification(
                        Auth::user()->name,
                        $request->ip(),
                        $request->header('User-Agent', 'unknown')
                    )
                );
                Cache::put($cacheKey, true, now()->addMinutes(15));
            }
        }

        return $next($request);
    }
}