apskel-pos-backend/internal/service/auth_service.go

package service

import (
	"context"
	"errors"
	"fmt"
	"time"

	"apskel-pos-be/internal/contract"
	"apskel-pos-be/internal/models"
	"apskel-pos-be/internal/transformer"

	"github.com/golang-jwt/jwt/v5"
	"github.com/google/uuid"
	"golang.org/x/crypto/bcrypt"
)

type AuthService interface {
	Login(ctx context.Context, req *contract.LoginRequest) (*contract.LoginResponse, error)
	ValidateToken(tokenString string) (*contract.UserResponse, error)
	RefreshToken(ctx context.Context, tokenString string) (*contract.LoginResponse, error)
	Logout(ctx context.Context, tokenString string) error
}

type AuthServiceImpl struct {
	userProcessor UserProcessor
	jwtSecret     string
	tokenTTL      time.Duration
}

type Claims struct {
	UserID         uuid.UUID `json:"user_id"`
	Email          string    `json:"email"`
	Role           string    `json:"role"`
	OrganizationID uuid.UUID `json:"organization_id"`
	jwt.RegisteredClaims
}

func NewAuthService(userProcessor UserProcessor, jwtSecret string) AuthService {
	return &AuthServiceImpl{
		userProcessor: userProcessor,
		jwtSecret:     jwtSecret,
		tokenTTL:      24 * time.Hour,
	}
}

func (s *AuthServiceImpl) Login(ctx context.Context, req *contract.LoginRequest) (*contract.LoginResponse, error) {
	userResponse, err := s.userProcessor.GetUserByEmail(ctx, req.Email)
	if err != nil {
		return nil, fmt.Errorf("invalid credentials")
	}

	if !userResponse.IsActive {
		return nil, fmt.Errorf("user account is deactivated")
	}

	userEntity, err := s.userProcessor.GetUserEntityByEmail(ctx, req.Email)
	if err != nil {
		return nil, fmt.Errorf("invalid credentials")
	}

	err = bcrypt.CompareHashAndPassword([]byte(userEntity.PasswordHash), []byte(req.Password))
	if err != nil {
		return nil, fmt.Errorf("invalid credentials")
	}

	contractUserResponse := transformer.UserModelResponseToResponse(userResponse)

	token, expiresAt, err := s.generateToken(userResponse)
	if err != nil {
		return nil, fmt.Errorf("failed to generate token: %w", err)
	}

	return &contract.LoginResponse{
		Token:     token,
		ExpiresAt: expiresAt,
		User:      *contractUserResponse,
	}, nil
}

func (s *AuthServiceImpl) ValidateToken(tokenString string) (*contract.UserResponse, error) {
	claims, err := s.parseToken(tokenString)
	if err != nil {
		return nil, fmt.Errorf("invalid token: %w", err)
	}

	userResponse, err := s.userProcessor.GetUserByID(context.Background(), claims.UserID)
	if err != nil {
		return nil, fmt.Errorf("user not found: %w", err)
	}

	if !userResponse.IsActive {
		return nil, fmt.Errorf("user account is deactivated")
	}

	contractUserResponse := transformer.UserModelResponseToResponse(userResponse)
	return contractUserResponse, nil
}

func (s *AuthServiceImpl) RefreshToken(ctx context.Context, tokenString string) (*contract.LoginResponse, error) {
	claims, err := s.parseToken(tokenString)
	if err != nil {
		return nil, fmt.Errorf("invalid token: %w", err)
	}

	userResponse, err := s.userProcessor.GetUserByID(ctx, claims.UserID)
	if err != nil {
		return nil, fmt.Errorf("user not found: %w", err)
	}

	if !userResponse.IsActive {
		return nil, fmt.Errorf("user account is deactivated")
	}

	contractUserResponse := transformer.UserModelResponseToResponse(userResponse)

	newToken, expiresAt, err := s.generateToken(userResponse)
	if err != nil {
		return nil, fmt.Errorf("failed to generate token: %w", err)
	}

	return &contract.LoginResponse{
		Token:     newToken,
		ExpiresAt: expiresAt,
		User:      *contractUserResponse,
	}, nil
}

func (s *AuthServiceImpl) Logout(ctx context.Context, tokenString string) error {
	// In a more sophisticated implementation, you might want to blacklist the token
	// For now, we'll just validate that the token is valid
	_, err := s.parseToken(tokenString)
	if err != nil {
		return fmt.Errorf("invalid token: %w", err)
	}

	// In the future, you could store blacklisted tokens in Redis or database
	return nil
}

func (s *AuthServiceImpl) generateToken(user *models.UserResponse) (string, time.Time, error) {
	expiresAt := time.Now().Add(s.tokenTTL)

	claims := &Claims{
		UserID:         user.ID,
		Email:          user.Email,
		Role:           string(user.Role),
		OrganizationID: user.OrganizationID,
		RegisteredClaims: jwt.RegisteredClaims{
			ExpiresAt: jwt.NewNumericDate(expiresAt),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
			NotBefore: jwt.NewNumericDate(time.Now()),
			Issuer:    "apskel-pos",
			Subject:   user.ID.String(),
		},
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString([]byte(s.jwtSecret))
	if err != nil {
		return "", time.Time{}, err
	}

	return tokenString, expiresAt, nil
}

func (s *AuthServiceImpl) parseToken(tokenString string) (*Claims, error) {
	token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
		}
		return []byte(s.jwtSecret), nil
	})

	if err != nil {
		return nil, err
	}

	if claims, ok := token.Claims.(*Claims); ok && token.Valid {
		return claims, nil
	}

	return nil, errors.New("invalid token")
}