module Admin
  class SessionsController < ActionController::Base
    layout "admin"

    # CSRF protection is enabled by default in ActionController::Base
    # We need it for the create action but not for the new (GET) action
    protect_from_forgery with: :exception

    def new
      redirect_to admin_dashboard_path if current_admin
    end

    def create
      admin = AdminUser.find_by(email: params[:email]&.downcase)

      if admin&.authenticate(params[:password])
        session[:admin_id] = admin.id
        admin.update_last_login!
        redirect_to admin_dashboard_path, notice: "Welcome back, #{admin.name}!"
      else
        flash.now[:alert] = "Invalid email or password"
        render :new, status: :unprocessable_entity
      end
    end

    def destroy
      session.delete(:admin_id)
      redirect_to admin_login_path, notice: "You have been logged out"
    end

    private

    def current_admin
      @current_admin ||= AdminUser.find_by(id: session[:admin_id]) if session[:admin_id]
    end
    helper_method :current_admin
  end
end