import { GraphQLError } from "graphql";
import type { Context } from "../graphql/builder";

type UserRole = "viewer" | "model" | "admin";

export function requireAuth(ctx: Context): void {
  if (!ctx.currentUser) throw new GraphQLError("Unauthorized");
}

export function requireRole(ctx: Context, ...roles: UserRole[]): void {
  requireAuth(ctx);
  if (!roles.includes(ctx.currentUser!.role)) throw new GraphQLError("Forbidden");
}

export function requireOwnerOrAdmin(ctx: Context, ownerId: string): void {
  requireAuth(ctx);
  if (ctx.currentUser!.id !== ownerId && ctx.currentUser!.role !== "admin") {
    throw new GraphQLError("Forbidden");
  }
}