import { verify, JsonWebTokenError, TokenExpiredError } from 'jsonwebtoken';
import { CanActivate, ExecutionContext } from '@nestjs/common';
import { RpcException } from '@nestjs/microservices';

export class JwtRpcAuthGuard implements CanActivate {
  canActivate(context: ExecutionContext): boolean {
    const ctx = context.switchToRpc();
    const data = ctx.getData();
    const token = data?.headers?.authorization?.replace('Bearer ', '');

    if (!token) {
      throw new RpcException({
        statusCode: 401,
        message: 'No token provided',
      });
    }

    try {
      const payload = verify(token, process.env.JWT_SECRET!); // <-- directamente
      data.user = payload;
      return true;
    } catch (e) {
      if (e instanceof TokenExpiredError) {
        throw new RpcException({ statusCode: 401, message: 'Token expirado' });
      }
      if (e instanceof JsonWebTokenError) {
        throw new RpcException({ statusCode: 401, message: 'Invalid signature' });
      }
      throw new RpcException({ statusCode: 500, message: 'Internal server error' });
    }
  }
}
