import { OAuth2AccessToken } from '@icynet/oauth2-provider';
import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
import { Reflector } from '@nestjs/core';

/**
 * Validates OAuth2 scopes.
 */
@Injectable()
export class ScopesGuard implements CanActivate {
  constructor(private reflector: Reflector) {}

  canActivate(context: ExecutionContext): boolean {
    const scopes = this.reflector.get<string[]>('scopes', context.getHandler());
    if (!scopes) {
      return true;
    }

    const response = context.switchToHttp().getResponse();
    const accessToken = response.locals.accessToken as OAuth2AccessToken;
    if (!accessToken) {
      return false;
    }

    return scopes.every((scope) => accessToken.scope.includes(scope));
  }
}