package auth

import (
	memberenum "gateway/internal/model/member/domain/enum"
	dommember "gateway/internal/model/member/domain/usecase"
)

func passwordResetPurpose() memberenum.OTPPurpose {
	return memberenum.OTPPurposePasswordReset
}

func ensurePlatformNativePassword(member *dommember.MemberDTO) error {
	if member == nil {
		return errb.ResNotFound("member", "")
	}
	switch member.Origin {
	case memberenum.MemberOriginPlatformNative:
		return nil
	case memberenum.MemberOriginOIDC:
		return errb.AuthForbidden("social login accounts cannot change password here")
	case memberenum.MemberOriginLDAP:
		return errb.AuthForbidden("ldap accounts cannot change password here")
	case memberenum.MemberOriginSCIM:
		return errb.AuthForbidden("scim provisioned accounts cannot change password here")
	default:
		return errb.AuthForbidden("account cannot change password here")
	}
}

func ensurePasswordResetEligible(status memberenum.MemberStatus) error {
	switch status {
	case memberenum.MemberStatusActive:
		return nil
	case memberenum.MemberStatusUnverified:
		return errb.AuthForbidden("account is not verified")
	case memberenum.MemberStatusSuspended:
		return errb.AuthForbidden("account is suspended")
	case memberenum.MemberStatusDeleted:
		return errb.ResNotFound("member", "")
	default:
		return errb.AuthForbidden("account is not allowed to reset password")
	}
}