package service

import (
	"strings"

	"github.com/pocketbase/pocketbase"
	"github.com/pocketbase/pocketbase/apis"
	"github.com/pocketbase/pocketbase/core"
)

func AddHooks(app *pocketbase.PocketBase) {
	app.OnRecordAuthWithOAuth2Request("users").BindFunc(func(e *core.RecordAuthWithOAuth2RequestEvent) error {
		email := e.OAuth2User.Email

		// If email is not in the main field, try to extract it from RawUser
		if email == "" {
			if rawEmail, ok := e.OAuth2User.RawUser["email"].(string); ok {
				email = rawEmail
				// Explicitly set the email on the OAuth2User so PocketBase uses it
				e.OAuth2User.Email = rawEmail
			}
		}

		if email == "" {
			return apis.NewBadRequestError("No email received from OAuth2 provider. Please ensure your account has an email address and the 'email' scope is granted.", nil)
		}
		// Restrict login to @htwk-leipzig.de employees only (not students)
		if !strings.HasSuffix(email, "@htwk-leipzig.de") {
			return apis.NewBadRequestError("Login restricted to @htwk-leipzig.de emails. Students (@stud.htwk-leipzig.de) are not allowed.", nil)
		}

		return e.Next()
	})
}