import bcrypt from 'bcrypt';
import { prisma } from './prisma';

const SALT_ROUNDS = 10;

export class AuthService {
    /**
     * Hashes a password using bcrypt.
     */
    static async hashPassword(password: string): Promise<string> {
        return bcrypt.hash(password, SALT_ROUNDS);
    }

    /**
     * Compares a plaintext password with a hashed password.
     */
    static async verifyPassword(password: string, hash: string): Promise<boolean> {
        return bcrypt.compare(password, hash);
    }

    /**
     * Finds a user by email and includes organization context.
     */
    static async findUserByEmail(email: string, organizationId: string) {
        return prisma.user.findUnique({
            where: { email_organizationId: { email, organizationId } },
            include: { organization: true }
        });
    }

    static async findUserByEmailOnly(email: string) {
        return prisma.user.findFirst({
            where: { email },
            include: { organization: true }
        });
    }

    /**
     * Checks if a user is allowed to access an organization.
     */
    static isUserAllowedInOrg(user: any, targetOrgId: string): boolean {
        // Super admin can access anything
        if (user.role === 'SUPER_ADMIN') return true;
        
        // Org Admin/Member must match the ID
        return user.organizationId === targetOrgId;
    }
}