using Thalos.Bff.Application.Adapters;
using Thalos.Bff.Application.Security;
using Thalos.Bff.Contracts.Api;

namespace Thalos.Bff.Application.Handlers;

/// <summary>
/// Default edge handler for token issuance.
/// </summary>
public sealed class IssueTokenHandler(
    IThalosServiceClient serviceClient,
    IIdentityEdgeContractAdapter contractAdapter,
    IPermissionGuard permissionGuard)
    : IIssueTokenHandler
{
    /// <inheritdoc />
    public async Task<IssueTokenApiResponse> HandleAsync(IssueTokenApiRequest request)
    {
        var policyRequest = contractAdapter.ToPolicyRequest(request, "identity.token.issue");
        var policyResponse = await serviceClient.EvaluatePolicyAsync(policyRequest);

        if (!permissionGuard.CanAccess(policyResponse))
        {
            throw new UnauthorizedAccessException("Permission denied.");
        }

        var issueRequest = contractAdapter.ToIssueTokenRequest(request);
        var issueResponse = await serviceClient.IssueTokenAsync(issueRequest);
        return contractAdapter.ToIssueTokenApiResponse(issueResponse);
    }
}