"use client";

import React, { createContext, useMemo } from "react";
import { useSession } from "next-auth/react";
import {
  buildAbilityFromPermissions,
  createEmptyAbility,
  getPermissionsFromSession,
  type AppAbility,
} from "@/lib/casl";

const AbilityContext = createContext<AppAbility | null>(null);

export function AbilityProvider({ children }: { children: React.ReactNode }) {
  const { data: session, status } = useSession();
  const ability = useMemo<AppAbility>(() => {
    if (status === "loading") return createEmptyAbility();
    const backendUser = (session as { backendUser?: unknown } | null)?.backendUser;
    const permissions = getPermissionsFromSession(backendUser);

    // Extract role name for admin check
    const roleName = backendUser && typeof backendUser === 'object'
      ? (backendUser as { role?: { name?: string } }).role?.name
      : undefined;

    return buildAbilityFromPermissions(permissions, roleName);
  }, [session, status]);

  return (
    <AbilityContext.Provider value={ability}>
      {children}
    </AbilityContext.Provider>
  );
}

export function useAbility(): AppAbility {
  const ctx = React.useContext(AbilityContext);
  return ctx ?? createEmptyAbility();
}

/** Render children only if the user can do action on subject. */
export function Can({
  children,
  action,
  subject,
  fallback = null,
}: {
  children: React.ReactNode;
  action: string;
  subject: string;
  fallback?: React.ReactNode;
}) {
  const ability = useAbility();
  if (ability.can(action, subject)) return <>{children}</>;
  return <>{fallback}</>;
}