<?php
namespace app\middleware;

use think\facade\Config;

class StaffAuth
{
    public function handle($request, \Closure $next)
    {
        $token = $request->header('Authorization', '');
        if (strpos($token, 'Bearer ') === 0) {
            $token = substr($token, 7);
        }

        if (empty($token)) {
            return json(['code' => -1, 'msg' => '请登录', 'data' => null])->code(401);
        }

        // 解析Token: base64(staff_id|expire|hmac)
        $plain = base64_decode($token);
        if (!$plain) {
            return json(['code' => -1, 'msg' => 'Token无效', 'data' => null])->code(401);
        }

        $parts = explode('|', $plain);
        if (count($parts) !== 3) {
            return json(['code' => -1, 'msg' => 'Token格式错误', 'data' => null])->code(401);
        }

        [$staffId, $expire, $sign] = $parts;

        // 校验过期
        if (time() > intval($expire)) {
            return json(['code' => -1, 'msg' => '登录已过期', 'data' => null])->code(401);
        }

        // 校验签名
        $secret = Config::get('app.app_secret', 'bar_order_secret_key_2026');
        $expected = hash_hmac('sha256', $staffId . '|' . $expire, $secret);
        if (!hash_equals($expected, $sign)) {
            return json(['code' => -1, 'msg' => 'Token签名错误', 'data' => null])->code(401);
        }

        $request->staffId = intval($staffId);
        return $next($request);
    }
}