use crate::handlers::AppState;
use crate::middleware::TenantId;
use crate::middleware::auth::AuthContext;
use axum::extract::State;
use common_telemetry::{AppError, AppResponse};
use tracing::instrument;

#[utoipa::path(
    get,
    path = "/me/permissions",
    tag = "Me",
    security(
        ("bearer_auth" = [])
    ),
    responses(
        (status = 200, description = "当前用户权限列表", body = [String]),
        (status = 401, description = "未认证"),
        (status = 403, description = "无权限")
    ),
    params(
        ("Authorization" = String, Header, description = "Bearer <access_token>（访问令牌）"),
        ("X-Tenant-ID" = String, Header, description = "租户 UUID（可选，若提供需与 Token 中 tenant_id 一致）")
    )
)]
#[instrument(skip(state))]
/// 查询当前登录用户在当前租户下的权限编码列表。
///
/// 用途：
/// - 快速自查当前令牌是否携带期望的权限（便于联调与排障）。
///
/// 输入：
/// - Header `Authorization: Bearer <access_token>`（必填）
/// - Header `X-Tenant-ID`（可选；若提供需与 Token 中 tenant_id 一致，否则返回 403）
///
/// 输出：
/// - `200`：权限字符串数组（如 `user:read`）
///
/// 异常：
/// - `401`：未携带或无法解析访问令牌
/// - `403`：租户不匹配或无权访问
pub async fn my_permissions_handler(
    TenantId(tenant_id): TenantId,
    State(state): State<AppState>,
    AuthContext {
        tenant_id: auth_tenant_id,
        user_id,
        ..
    }: AuthContext,
) -> Result<AppResponse<Vec<String>>, AppError> {
    if auth_tenant_id != tenant_id {
        return Err(AppError::PermissionDenied("tenant:mismatch".into()));
    }

    let permissions = state
        .authorization_service
        .list_permissions_for_user(tenant_id, user_id)
        .await?;
    Ok(AppResponse::ok(permissions))
}