'use strict';

/**
 * Feature-flag middleware: blocks the request when the named feature is
 * globally disabled in app_settings.
 *
 * Scope (B-lite): GLOBAL only — checks the app_settings.feature_<name>_enabled
 * row that admin toggles in the admin panel. Per-class disable
 * (classes.features JSON) and the free_student role-level overlay
 * (app_settings.free_student_features) are NOT checked here — those layers
 * remain UI-gated in /api/features. A student bypassing the UI gate via
 * direct curl is the documented limitation; can be tightened later by
 * extracting the merge logic from server.js → /api/features into a shared
 * helper.
 *
 * Default: missing key = enabled (opt-in disable model).
 *
 * Response: 404 on disabled feature (intentional — don't leak endpoint shape).
 *
 * Usage:
 *   app.use('/api/pet', requireFeature('pet'), petRoutes);
 *   router.get('/hangman/word', requireFeature('hangman'), authMiddleware, handler);
 */
const db = require('../db/db');

const _stmt = db.prepare(
  "SELECT value FROM app_settings WHERE key = ?"
);

function requireFeature(name) {
  const settingKey = `feature_${name}_enabled`;
  return (req, res, next) => {
    const row = _stmt.get(settingKey);
    if (row && row.value === '0') {
      return res.status(404).json({ error: 'Feature disabled' });
    }
    next();
  };
}

module.exports = { requireFeature };