package policies

import (
	"context"

	"slices"

	"github.com/fiatjaf/khatru"
	"github.com/nbd-wtf/go-nostr"
)

// RejectKind04Snoopers prevents reading NIP-04 messages from people not involved in the conversation.
func RejectKind04Snoopers(ctx context.Context, filter nostr.Filter) (bool, string) {
	// prevent kind-4 events from being returned to unauthed users,
	//   only when authentication is a thing
	if !slices.Contains(filter.Kinds, 4) {
		return false, ""
	}

	ws := khatru.GetConnection(ctx)
	senders := filter.Authors
	receivers, _ := filter.Tags["p"]
	switch {
	case ws.AuthedPublicKey == "":
		// not authenticated
		return true, "restricted: this relay does not serve kind-4 to unauthenticated users, does your client implement NIP-42?"
	case len(senders) == 1 && len(receivers) < 2 && (senders[0] == ws.AuthedPublicKey):
		// allowed filter: ws.authed is sole sender (filter specifies one or all receivers)
		return false, ""
	case len(receivers) == 1 && len(senders) < 2 && (receivers[0] == ws.AuthedPublicKey):
		// allowed filter: ws.authed is sole receiver (filter specifies one or all senders)
		return false, ""
	default:
		// restricted filter: do not return any events,
		//   even if other elements in filters array were not restricted).
		//   client should know better.
		return true, "restricted: authenticated user does not have authorization for requested filters."
	}
}