const jwt = require('jsonwebtoken');
require('dotenv').config();

const activeSessions = {}; // store last activity timestamp for tokens

module.exports = (requiredRole = null) => {
    return (req, res, next) => {
        const authHeader = req.headers.authorization;

        if (!authHeader) {
            return res.status(401).json({ message: 'No token provided' });
        }

        const token = authHeader.split(' ')[1];

        jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
            if (err) {
                return res.status(401).json({ message: 'Invalid token' });
            }

            // Check token last activity
            const lastActivity = activeSessions[token];
            const now = Date.now();

            if (lastActivity && now - lastActivity > 30 * 60 * 1000) {
                delete activeSessions[token];
                return res.status(401).json({ message: 'Token expired due to inactivity' });
            }

            // Update last activity
            activeSessions[token] = now;

            req.user = decoded;

            if (requiredRole && decoded.role !== requiredRole) {
                return res.status(403).json({ message: 'Forbidden. Insufficient role' });
            }

            next();
        });
    };
};