nakama/backend/middleware/auth.js

const User = require('../models/User');
const { validateTelegramId } = require('./validator');
const { logSecurityEvent } = require('./logger');
const { validateAndParseInitData } = require('../utils/telegram');

const OFFICIAL_CLIENT_MESSAGE = 'Используйте официальный клиент. Сообщите об ошибке в https://t.me/NakamaReportbot';
const ALLOWED_SEARCH_PREFERENCES = ['furry', 'anime'];

const touchUserActivity = async (user) => {
  if (!user) return;
  const now = Date.now();
  const shouldUpdate =
    !user.lastActiveAt ||
    Math.abs(now - new Date(user.lastActiveAt).getTime()) > 5 * 60 * 1000;

  if (shouldUpdate) {
    user.lastActiveAt = new Date(now);
    await user.save();
  }
};

const ensureUserSettings = async (user) => {
  if (!user) return;
  let updated = false;

  if (!user.settings) {
    user.settings = {};
    updated = true;
  }

  if (!ALLOWED_SEARCH_PREFERENCES.includes(user.settings.searchPreference)) {
    user.settings.searchPreference = 'furry';
    updated = true;
  }

  if (!user.settings.whitelist) {
    user.settings.whitelist = { noNSFW: true };
    updated = true;
  } else if (user.settings.whitelist.noNSFW === undefined) {
    user.settings.whitelist.noNSFW = true;
    updated = true;
  }

  if (updated) {
    user.markModified('settings');
    await user.save();
  }
};

const authenticate = async (req, res, next) => {
  try {
    const authHeader = req.headers.authorization || '';

    if (!authHeader.startsWith('tma ')) {
      logSecurityEvent('AUTH_TOKEN_MISSING', req);
      return res.status(401).json({ error: OFFICIAL_CLIENT_MESSAGE });
    }

    const initDataRaw = authHeader.slice(4).trim();

    if (!initDataRaw) {
      logSecurityEvent('EMPTY_INITDATA', req);
      return res.status(401).json({ error: OFFICIAL_CLIENT_MESSAGE });
    }

    let payload;

    try {
      payload = validateAndParseInitData(initDataRaw);
    } catch (error) {
      logSecurityEvent('INVALID_INITDATA', req, { reason: error.message });
      return res.status(401).json({ error: `${error.message}. ${OFFICIAL_CLIENT_MESSAGE}` });
    }

    const telegramUser = payload.user;

    if (!validateTelegramId(telegramUser.id)) {
      logSecurityEvent('INVALID_TELEGRAM_ID', req, { telegramId: telegramUser.id });
      return res.status(401).json({ error: 'Неверный ID пользователя' });
    }

    let user = await User.findOne({ telegramId: telegramUser.id.toString() });

    if (!user) {
      user = new User({
        telegramId: telegramUser.id.toString(),
        username: telegramUser.username || telegramUser.first_name,
        firstName: telegramUser.first_name,
        lastName: telegramUser.last_name,
        photoUrl: telegramUser.photo_url
      });
      await user.save();
    } else {
      user.username = telegramUser.username || telegramUser.first_name;
      user.firstName = telegramUser.first_name;
      user.lastName = telegramUser.last_name;
      if (telegramUser.photo_url) {
        user.photoUrl = telegramUser.photo_url;
      }
      await user.save();
    }

    if (user.banned) {
      return res.status(403).json({ error: 'Пользователь заблокирован' });
    }

    await ensureUserSettings(user);
    await touchUserActivity(user);

    req.user = user;
    req.telegramUser = telegramUser;
    next();
  } catch (error) {
    console.error('❌ Ошибка авторизации:', error);
    res.status(401).json({ error: `Ошибка авторизации. ${OFFICIAL_CLIENT_MESSAGE}` });
  }
};

// Middleware для проверки роли модератора
const requireModerator = (req, res, next) => {
  if (req.user.role !== 'moderator' && req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Требуются права модератора' });
  }
  next();
};

// Middleware для проверки роли админа
const requireAdmin = (req, res, next) => {
  if (req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Требуются права администратора' });
  }
  next();
};

module.exports = {
  authenticate,
  requireModerator,
  requireAdmin,
  touchUserActivity,
  ensureUserSettings
};