Nexus.Reader/src/NexusReader.Application/Security/Authorization/ProUserHandler.cs

using System.Security.Claims;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using NexusReader.Domain.Entities;

namespace NexusReader.Application.Security.Authorization;

public class ProUserHandler : AuthorizationHandler<ProUserRequirement>
{
    private readonly UserManager<NexusUser> _userManager;

    public ProUserHandler(UserManager<NexusUser> userManager)
    {
        _userManager = userManager;
    }

    protected override async Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        ProUserRequirement requirement)
    {
        var userId = context.User.FindFirstValue(ClaimTypes.NameIdentifier);
        if (string.IsNullOrEmpty(userId))
        {
            return;
        }

        var user = await _userManager.FindByIdAsync(userId);
        if (user == null)
        {
            return;
        }

        // Rule 1: Explicit Pro plan
        if (user.SubscriptionPlanId == SubscriptionPlan.ProId)
        {
            context.Succeed(requirement);
            return;
        }

        // Rule 2: Within Token Limits (SaaS logic)
        if (user.AITokensUsed < user.AITokenLimit)
        {
            context.Succeed(requirement);
            return;
        }
    }
}