import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
import { redirect } from "next/navigation"

import { resolveRoleFromServerContext } from "@/lib/access-server"

type RequirePermissionParams = {
  nextPath: string
  permission: Permission
  scope: PermissionScope
}

export async function requireRoleForRoute(nextPath: string): Promise<Role> {
  const role = await resolveRoleFromServerContext()

  if (!role) {
    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
  }

  return role
}

export async function requirePermissionForRoute(params: RequirePermissionParams): Promise<Role> {
  const role = await requireRoleForRoute(params.nextPath)

  if (!hasPermission(role, params.permission, params.scope)) {
    redirect(`/unauthorized?required=${params.permission}&scope=${params.scope}`)
  }

  return role
}