/*
 * Parameter validation middleware. Each route parameter is checked against
 * a safe pattern to prevent unexpected input from reaching database queries.
 * The whitelist approach rejects obviously invalid identifiers early, keeping
 * service-layer code cleaner.
 */

const SAFE_CODE_PATTERN = /^[a-zA-Z0-9_-]{1,100}$/;
const SAFE_UUID_PATTERN = /^[a-f0-9-]{36}$/;

export function validateParam(paramName, { pattern = null } = {}) {
  const resolvedPattern = pattern || (paramName.toLowerCase().includes('id') ? SAFE_UUID_PATTERN : SAFE_CODE_PATTERN);

  return (req, res, next) => {
    const value = req.params[paramName];

    if (!value || !resolvedPattern.test(value)) {
      return res.status(400).json({ message: `Invalid parameter: ${paramName}` });
    }

    next();
  };
}

export function validateNumericParam(paramName) {
  return (req, res, next) => {
    const value = Number(req.params[paramName]);

    if (!Number.isFinite(value) || value < 0) {
      return res.status(400).json({ message: `Invalid numeric parameter: ${paramName}` });
    }

    next();
  };
}