<?php

declare(strict_types=1);

use App\Models\FormBuilder\FormSubmission;
use App\Models\User;
use Illuminate\Support\Facades\Broadcast;

/*
|--------------------------------------------------------------------------
| Broadcast Channel Authorization
|--------------------------------------------------------------------------
|
| Channel-level authorization callbacks for private and presence channels.
| Laravel's broadcasting auth middleware invokes these on subscription
| attempts; returning truthy authorises, falsy denies.
|
| File registered in bootstrap/app.php via withRouting(channels: ...).
| Without that registration this file is dead code.
|
*/

/*
 * Per RFC-WS-6 §Q1 v1.3 addition 2.
 *
 * Authorises private subscriptions to a form-submission's identity-match
 * resolution channel. The TriggerPersonIdentityMatchOnFormSubmit listener
 * dispatches FormSubmissionIdentityMatchResolved on this channel after
 * writing the final identity_match_status; the frontend portal
 * IdentityMatchBanner subscribes via Echo.private('submission.{id}') and
 * refetches the submission resource on receipt.
 *
 * v1 authz scope: only the submitter who created the submission via an
 * authenticated session is allowed to subscribe. Org-admin access is
 * deferred — see BACKLOG entry TECH-CHANNEL-AUTH-ORG-ADMIN. Public
 * (token-based) submitters are not on this channel; their flow is
 * already polling-based and they don't have a User to authenticate with.
 */
Broadcast::channel(
    'submission.{submissionId}',
    function (User $user, string $submissionId): bool {
        $submission = FormSubmission::query()
            ->withoutGlobalScopes()
            ->find($submissionId);

        if ($submission === null) {
            return false;
        }

        // TODO TECH-CHANNEL-AUTH-ORG-ADMIN — extend to organisation admins
        // once we audit the Spatie Permission helper for an
        // organisation-scoped role check (hasRoleInOrganisation or
        // similar). Until that audit lands, only the submitter has
        // channel access.
        return $submission->submitted_by_user_id === $user->id;
    },
);