-- Store Google Drive OAuth tokens for admin users
CREATE TABLE public.google_drive_tokens (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id UUID REFERENCES auth.users(id) ON DELETE CASCADE NOT NULL UNIQUE,
  access_token TEXT NOT NULL,
  refresh_token TEXT NOT NULL,
  token_expires_at TIMESTAMPTZ NOT NULL,
  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
  updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
);

ALTER TABLE public.google_drive_tokens ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Admins can manage their own tokens"
  ON public.google_drive_tokens
  FOR ALL
  TO authenticated
  USING (
    user_id = auth.uid() 
    AND (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'))
  )
  WITH CHECK (
    user_id = auth.uid()
    AND (public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager'))
  );

-- Track which Drive files/folders are shared and with whom
CREATE TABLE public.shared_drive_files (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  drive_file_id TEXT NOT NULL,
  drive_file_name TEXT NOT NULL,
  drive_mime_type TEXT,
  drive_icon_link TEXT,
  drive_web_view_link TEXT,
  is_folder BOOLEAN NOT NULL DEFAULT false,
  shared_by UUID REFERENCES auth.users(id) ON DELETE SET NULL,
  association_ids UUID[] DEFAULT '{}',
  visibility TEXT[] NOT NULL DEFAULT '{admin}',
  parent_shared_id UUID REFERENCES public.shared_drive_files(id) ON DELETE CASCADE,
  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
  updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
);

ALTER TABLE public.shared_drive_files ENABLE ROW LEVEL SECURITY;

-- Staff can manage shared files
CREATE POLICY "Staff can manage shared drive files"
  ON public.shared_drive_files
  FOR ALL
  TO authenticated
  USING (
    public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager')
  )
  WITH CHECK (
    public.has_role(auth.uid(), 'admin') OR public.has_role(auth.uid(), 'manager')
  );

-- Board members and homeowners can view files shared with them
CREATE POLICY "Users can view files shared with their role or association"
  ON public.shared_drive_files
  FOR SELECT
  TO authenticated
  USING (
    public.has_role(auth.uid(), 'admin')
    OR public.has_role(auth.uid(), 'manager')
    OR (
      'board_member' = ANY(visibility)
      AND EXISTS (
        SELECT 1 FROM public.board_members bm
        WHERE bm.user_id = auth.uid()
        AND bm.association_id = ANY(shared_drive_files.association_ids)
      )
    )
    OR (
      'homeowner' = ANY(visibility)
      AND EXISTS (
        SELECT 1 FROM public.owners o
        WHERE o.user_id = auth.uid()
        AND o.association_id = ANY(shared_drive_files.association_ids)
      )
    )
  );

CREATE TRIGGER update_google_drive_tokens_updated_at
  BEFORE UPDATE ON public.google_drive_tokens
  FOR EACH ROW EXECUTE FUNCTION public.update_updated_at_column();

CREATE TRIGGER update_shared_drive_files_updated_at
  BEFORE UPDATE ON public.shared_drive_files
  FOR EACH ROW EXECUTE FUNCTION public.update_updated_at_column();