const jwt = require('jsonwebtoken');

const revokedTokens = new Set();

const revokeToken = (jti) => revokedTokens.add(jti);
module.exports.revokeToken = revokeToken;

const rbacAuth = (...requiredPerms) => {
  return (req, res, next) => {
    const token = req.headers.authorization?.replace('Bearer ', '');
    if (!token) {
      return res.status(401).json({ success: false, message: '未登录' });
    }

    try {
      const decoded = jwt.verify(token, process.env.JWT_SECRET);

      if (decoded.jti && revokedTokens.has(decoded.jti)) {
        return res.status(401).json({ success: false, message: 'token已失效' });
      }

      req.user = decoded;

      if (requiredPerms.length > 0) {
        const userPerms = decoded.permissions || [];
        const hasPerm = requiredPerms.some(perm => userPerms.includes(perm));
        if (!hasPerm) {
          return res.status(403).json({ success: false, message: '权限不足' });
        }
      }

      next();
    } catch (err) {
      return res.status(401).json({ success: false, message: 'token无效或已过期' });
    }
  };
};

module.exports = rbacAuth;