<?php

namespace App\Http\Responses;

use App\Support\LoginRedirect;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Laravel\Fortify\Contracts\LoginResponse as LoginResponseContract;
use Laravel\Fortify\Contracts\TwoFactorLoginResponse as TwoFactorLoginResponseContract;

/**
 * Einheitliche Antwort für den Fortify-POST-Login UND den Abschluss der
 * 2FA-Challenge. Spiegelt dieselbe Policy wie der Volt-Login:
 *  - unverifiziert → Verifizierungs-Notice
 *  - verifiziert, aber inaktiv → Login blockiert (Logout + Fehler)
 *  - sonst rollengerechter, 403-sicherer Redirect (intended nur wenn erreichbar)
 */
class RoleAwareLoginResponse implements LoginResponseContract, TwoFactorLoginResponseContract
{
    public function toResponse($request): RedirectResponse|JsonResponse
    {
        if ($request instanceof Request && $request->wantsJson()) {
            return new JsonResponse('', 204);
        }

        $user = $request->user();

        if ($user && ! $user->hasVerifiedEmail()) {
            return redirect()->route('verification.notice');
        }

        if ($user && ! $user->is_active) {
            Auth::guard('web')->logout();
            $request->session()->invalidate();
            $request->session()->regenerateToken();

            return redirect()->route('login')->withErrors([
                'email' => __('Ihr Konto ist nicht aktiv. Bitte wenden Sie sich an den Support.'),
            ]);
        }

        $default = LoginRedirect::homeFor($user);
        $intended = $request->session()->pull('url.intended');

        return redirect(LoginRedirect::safeTarget($user, $intended, $default));
    }
}