// SPDX-License-Identifier: AGPL-3.0-or-later

package middleware

import (
	"net/http"
	"strings"
)

// MustResetPasswordGuard redirects users who must reset their password
// to the reset page. Allows through: static assets, health, logout,
// and the reset-password page itself.
func MustResetPasswordGuard(basePath string) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			user := UserFromContext(r.Context())
			if user != nil && user.MustResetPassword {
				path := r.URL.Path
				// Allow these paths through without redirect.
				if path == "/reset-password" ||
					path == "/logout" ||
					path == "/health" ||
					strings.HasPrefix(path, "/static/") {
					next.ServeHTTP(w, r)
					return
				}
				http.Redirect(w, r, basePath+"/reset-password", http.StatusSeeOther)
				return
			}
			next.ServeHTTP(w, r)
		})
	}
}