import { NextRequest, NextResponse } from 'next/server';

/**
 * Edge middleware — lightweight JWT presence check on all /api/* routes.
 * Does NOT verify the token (that happens in route handlers via requireAdmin/getCurrentUser).
 * Blocks completely unauthenticated requests before they reach API logic.
 */

const PUBLIC_PATHS = new Set([
  '/api/auth/login',
  '/api/auth/forgot-password',
  '/api/health',
  '/api/seed',
]);

function isPublic(pathname: string): boolean {
  return PUBLIC_PATHS.has(pathname);
}

function getToken(req: NextRequest): string | null {
  // Cookie: token=...
  const cookie = req.cookies.get('token');
  if (cookie?.value) return cookie.value;

  // Authorization: Bearer ...
  const authHeader = req.headers.get('authorization');
  if (authHeader?.startsWith('Bearer ')) return authHeader.slice(7);

  return null;
}

export function middleware(req: NextRequest) {
  const { pathname } = req.nextUrl;

  // Only protect /api/* routes (skip pages, static assets, etc.)
  if (!pathname.startsWith('/api/')) return NextResponse.next();

  // Allow public routes
  if (isPublic(pathname)) return NextResponse.next();

  // Require token presence
  const token = getToken(req);
  if (!token) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
  }

  return NextResponse.next();
}

export const config = {
  matcher: '/api/:path*',
};