from django.http import JsonResponse


class RequireAuthHeaderMiddleware:
    """
    Temporary middleware to require Authorization header for API endpoints
    except for explicitly whitelisted public endpoints.
    This does not validate JWTs, it only enforces presence while proper
    auth integration is finalized.
    """

    PUBLIC_PATHS = (
        '/api/companies/search/',
        '/api/companies/login/',
        '/api/auth/login/',
        '/api/auth/refresh/',
        '/api/employeetypes/',
        '/api/supervisors/',
        '/api/supervisorgroups/',
        '/api/users/',
        '/api/configurations/',
        '/api/stamps/',
        '/api/stamps/worktime-report/excel/',
        '/api/stamps/worktime-report/pdf/',
        '/api/clients/report/excel/',
        '/api/clients/report/pdf/',
        '/api/projects/report/excel/',
        '/api/projects/report/pdf/',
        '/api/paycodes/',
        '/api/shifts/',
        '/api/projects/',
        '/api/tasks/',
        '/api/clients/',
        '/api/questionconfigurations/',
        '/api/payroll/',  # Payroll endpoints - require JWT but allow through middleware
    )

    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        path = request.path
        if path.startswith('/api/') and not any(path.startswith(p) for p in self.PUBLIC_PATHS):
            auth = request.headers.get('Authorization')
            if not auth:
                return JsonResponse({'error': 'Authorization header required'}, status=401)
        return self.get_response(request)