class User < ApplicationRecord
  has_secure_password
  has_many :sessions, dependent: :destroy

  normalizes :email_address, with: ->(e) { e.strip.downcase }

  enum :role, { admin: 0, user: 1, viewer: 2 }, default: :user

  generates_token_for :password_reset, expires_in: 1.hour do
    updated_at
  end

  validates :email_address, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
  validates :role, presence: true

  before_validation :set_first_user_as_admin, on: :create

  def update_role_from_oidc_groups(groups)
    new_role = self.class.map_oidc_groups_to_role(groups)
    update(role: new_role) if role != new_role
  end

  def admin?
    role == 'admin'
  end

  def viewer?
    role == 'viewer'
  end

  private

  def set_first_user_as_admin
    return if User.any?
    self.role = 'admin'
  end

  def self.map_oidc_groups_to_role(groups)
    groups = Array(groups)

    # Check admin groups first
    admin_groups = ENV['OIDC_ADMIN_GROUPS']&.split(',')&.map(&:strip)
    return 'admin' if admin_groups && (admin_groups & groups).any?

    # Check user groups
    user_groups = ENV['OIDC_USER_GROUPS']&.split(',')&.map(&:strip)
    return 'user' if user_groups && (user_groups & groups).any?

    # Check viewer groups
    viewer_groups = ENV['OIDC_VIEWER_GROUPS']&.split(',')&.map(&:strip)
    return 'viewer' if viewer_groups && (viewer_groups & groups).any?

    # Default to user if no group matches
    'user'
  end
end