<?php

namespace App\Http\Middleware;

use App\Models\Miscellaneous\WebsiteBlockedCountry;
use App\Models\Miscellaneous\WebsiteIpBlacklist;
use App\Models\Miscellaneous\WebsiteIpWhitelist;
use App\Services\IpLookupService;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class VPNCheckerMiddleware
{
    public function handle(Request $request, Closure $next): Response
    {
        $isEnabled = setting('vpn_block_enabled') === '1';

        if (! $isEnabled) {
            return $next($request);
        }

        if (hasPermission('bypass_vpn')) {
            return $next($request);
        }

        $userIp = $request->ip();

        if (WebsiteIpWhitelist::where('ip_address', $userIp)->exists()) {
            return $next($request);
        }

        if (WebsiteIpBlacklist::where('ip_address', $userIp)->exists()) {
            return $this->denyAccess($request);
        }

        $ipService = new IpLookupService('');

        $countryInfo = $ipService->getCountryInfo($userIp);

        if (! empty($countryInfo['country_code'])) {
            $countryCode = $countryInfo['country_code'];

            if (WebsiteBlockedCountry::where('country_code', $countryCode)->exists()) {
                return $this->denyAccess($request);
            }

            $countryWhitelisted = WebsiteIpWhitelist::where('country_code', $countryCode)
                ->where('whitelist_country', true)
                ->exists();

            if (! $countryWhitelisted) {
                $countryBlacklisted = WebsiteIpBlacklist::where('country_code', $countryCode)
                    ->where('blacklist_country', true)
                    ->exists();

                if ($countryBlacklisted) {
                    return $this->denyAccess($request);
                }
            }
        }

        $threatInfo = $ipService->checkVpnProxyTor($userIp);

        if (! empty($threatInfo['asn'])) {
            $asnWhitelisted = WebsiteIpWhitelist::where('asn', $threatInfo['asn'])
                ->where('whitelist_asn', true)
                ->exists();

            if (! $asnWhitelisted) {
                $asnBlacklisted = WebsiteIpBlacklist::where('asn', $threatInfo['asn'])
                    ->where('blacklist_asn', true)
                    ->exists();

                if ($asnBlacklisted) {
                    return $this->denyAccess($request);
                }
            }
        }

        $blockVpn = setting('block_vpn') === '1';
        $blockTor = setting('block_tor') === '1';
        $blockMalicious = setting('block_malicious') === '1';

        $shouldBlock = false;

        if ($blockVpn && ($threatInfo['is_vpn'] ?? false)) {
            $shouldBlock = true;
        }

        if ($blockTor && ($threatInfo['is_tor'] ?? false)) {
            $shouldBlock = true;
        }

        if ($blockMalicious && ($threatInfo['is_malicious'] ?? false)) {
            $shouldBlock = true;
        }

        if ($shouldBlock) {
            WebsiteIpBlacklist::create([
                'ip_address' => $userIp,
                'asn' => $threatInfo['asn'] ?? null,
                'country_code' => $countryInfo['country_code'] ?? null,
            ]);

            return $this->denyAccess($request);
        }

        return $next($request);
    }

    private function denyAccess(Request $request): Response
    {
        if ($request->expectsJson()) {
            return response()->json([
                'message' => __('Your IP has been restricted - If you think this is a mistake, you can contact us on our Discord.'),
            ], 403);
        }

        return to_route('me.show')->withErrors([
            'message' => __('Your IP has been restricted - If you think this is a mistake, you can contact us on our Discord.'),
        ]);
    }
}