<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use App\Models\AuditLog;
use Illuminate\Support\Facades\Auth;

class AuditRequestMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response)  $next
     * @return mixed
     */
    public function handle(Request $request, Closure $next)
    {
        $response = $next($request);

        // Audit only write/mutation operations or auth requests
        $method = $request->method();
        if (in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE']) || $request->routeIs('*.sensitive')) {
            $user = Auth::user();
            
            // Mask sensitive fields in request payload
            $payload = $request->all();
            $sensitiveKeys = ['password', 'password_confirmation', 'pin', 'pin_confirmation', 'pin_hash', 'code', 'token', 'key', 'national_id', 'card_number'];
            foreach ($sensitiveKeys as $key) {
                if (isset($payload[$key])) {
                    $payload[$key] = '********';
                }
            }

            AuditLog::record([
                'user_id' => $user?->id,
                'actor_id' => $user?->id,
                'action' => 'api_request_' . strtolower($method),
                'subject_type' => 'Request',
                'subject_id' => null,
                'old_values' => null,
                'new_values' => [
                    'url' => $request->fullUrl(),
                    'method' => $method,
                    'status' => $response->getStatusCode(),
                    'payload' => $payload,
                ],
                'ip_address' => $request->ip(),
                'user_agent' => $request->userAgent(),
                'device_id' => $request->header('X-Device-Id'),
            ]);
        }

        return $response;
    }
}