<?php

declare(strict_types=1);

namespace App\Administration\Infrastructure\Security;

use App\SuperAdmin\Infrastructure\Security\SecuritySuperAdmin;
use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;

/**
 * Enriches the JWT payload with business claims.
 *
 * Added claims:
 * - sub: User email (Symfony Security identifier)
 * - user_id: User UUID (for API consumers)
 * - tenant_id: Tenant UUID for multi-tenant isolation (regular users only)
 * - user_type: "super_admin" for super admins
 * - roles: List of Symfony roles for authorization
 *
 * @see Story 1.4 - User login
 */
final readonly class JwtPayloadEnricher
{
    public function onJWTCreated(JWTCreatedEvent $event): void
    {
        $user = $event->getUser();
        $payload = $event->getData();

        if ($user instanceof SecuritySuperAdmin) {
            $payload['user_id'] = $user->superAdminId();
            $payload['user_type'] = 'super_admin';
            $payload['roles'] = $user->getRoles();
            $event->setData($payload);

            return;
        }

        if (!$user instanceof SecurityUser) {
            return;
        }

        // Business claims for multi-tenant isolation and authorization
        $payload['user_id'] = $user->userId();
        $payload['tenant_id'] = $user->tenantId();
        $payload['roles'] = $user->getRoles();

        $event->setData($payload);
    }
}