import { Router } from 'express';
import bookingController from '../controllers/booking.controller';
import { authenticate, optionalAuth } from '../middleware/auth.middleware';
import { requirePermission } from '../middleware/rbac.middleware';

const router = Router();

// ── Public (token-based, no session auth required) ───────────────────────────

router.get('/calendar.ics', optionalAuth, bookingController.getIcalExport.bind(bookingController));

// ── Read-only (all authenticated users) ──────────────────────────────────────

router.get('/vehicles',       authenticate, bookingController.getVehiclesForBooking.bind(bookingController));
router.get('/calendar',       authenticate, bookingController.getCalendarRange.bind(bookingController));
router.get('/upcoming',       authenticate, bookingController.getUpcoming.bind(bookingController));
router.get('/availability',   authenticate, bookingController.checkAvailability.bind(bookingController));
router.get('/calendar-token', authenticate, bookingController.getCalendarToken.bind(bookingController));

// ── Write operations ──────────────────────────────────────────────────────────

router.post('/',     authenticate, requirePermission('fahrzeugbuchungen:create'), bookingController.create.bind(bookingController));
router.patch('/:id', authenticate, requirePermission('fahrzeugbuchungen:manage'), bookingController.update.bind(bookingController));

// Soft-cancel (sets abgesagt=TRUE) — creator or bookings:write
router.delete('/:id',       authenticate, bookingController.cancel.bind(bookingController));
router.patch('/:id/cancel', authenticate, bookingController.cancel.bind(bookingController));

// Hard-delete (admin only)
router.delete('/:id/force', authenticate, requirePermission('fahrzeugbuchungen:manage'), bookingController.hardDelete.bind(bookingController));

// ── Single booking read — after specific routes to avoid path conflicts ───────

router.get('/:id', authenticate, bookingController.getById.bind(bookingController));

export default router;