// the main app file
import express from "express";
import loadDb from "./loadDb"; // dummy middleware to load db (sets request.db)
import authorize from "./authorization"; // middleware for doing authorization
import permit from "./permission"; // middleware for checking if user's role is permitted to make request

let app = express(),
    api = app.Router();

// check authorization for each request
// will set `request.user`
app.use(authorize);

// setup permission middleware,
// check `request.user.role` and decide if ok to continue 
app.use("/api/private", permit("admin"));
app.use(["/api/foo", "/api/bar"], permit("account-owner", "account-member"));

// setup requests handlers
api.get("/private/whatever", (req, res) => response.json({whatever: true}));
api.get("/foo", (req, res) => response.json({currentUser: req.user}));
api.get("/bar", (req, res) => response.json({currentUser: req.user}));

// setup permissions based on HTTP Method

// account creation is public
api.post("/account", (req, res) => req.json({message: "created"}));

// account update & delete (PATCH & DELETE) are only available to account owner
api.patch("/account", permit('account-owner'), (req, res) => req.json({message: "updated"}));
api.delete("/account", permit('account-owner'), (req, res) => req.json({message: "deleted"}));

// viewing account "GET" available to account owner and account member
api.get("/account", permit('account-member', 'account-owner'),  (req, res) => req.json({currentUser: request.user}));

// mount api router
app.use("/api", api);

// start 'er up
app.listen(process.env.PORT || 3000);