class AuthUsersController < ApplicationController
	before_action :authenticate_user!, except: [:new, :create]

	def create
		@auth_user = AuthUser.create(auth_user_params)

		if @auth_user.persisted?
			sign_in :auth_user, @auth_user
			flash[:notice] = "Welcome to Dress to Impress, #{@auth_user.name}! 💖"
			redirect_to root_path
		else
			render action: :new, status: :unprocessable_entity
		end
	end

	def edit
		# For the edit form, the auth user *is* the persisted auth user.
		@persisted_auth_user = current_auth_user
		@auth_user = @persisted_auth_user
	end

	def new
		@auth_user = AuthUser.new
	end

	def update
		# When updating, we hold onto the original `@persisted_auth_user`, then
		# make our changes to `@auth_user`. That way, the form can check the *live*
		# value of `uses_password?` to decide whether to show the "Current
		# password" field, instead of getting thrown off if the password changed
		# but the record didn't get saved.
		#
		# HACK: Is there a way to get the kind of copy we want for real? `dup`
		#       actually returns a *new* unsaved record with the same attributes.
		@auth_user = load_auth_user
		@persisted_auth_user = @auth_user.dup

		if @auth_user.update_with_password(auth_user_params)
			# NOTE: Changing the password will sign you out, so make sure we stay
			# signed in!
			bypass_sign_in @auth_user, scope: :auth_user

			flash[:notice] = "Settings successfully saved."
			redirect_to action: :edit
		else
			render action: :edit, status: :unprocessable_entity
		end
	end

	private

	def auth_user_params
		params.require(:auth_user).permit(:name, :email, :password,
			:password_confirmation, :current_password)
	end

	def load_auth_user
		# Well, what we *actually* do is just use `current_auth_user`, and enforce
		# that the provided user ID matches. The user ID param is only really for
		# REST semantics and such!
		raise AccessDenied unless auth_user_signed_in?
		raise AccessDenied unless current_auth_user.id == params[:id].to_i
		current_auth_user
	end
end