import { NextRequest, NextResponse } from 'next/server';
import { jwtVerify } from 'jose';

const SESSION_COOKIE_NAME = 'auth_session';

export async function proxy(request: NextRequest) {
  const { pathname } = request.nextUrl;

  // Wenn AUTH_USERS nicht gesetzt, alles durchlassen
  if (!process.env.AUTH_USERS) {
    return NextResponse.next();
  }

  // /login und /api/check sind öffentlich
  const publicPaths = ['/login', '/api/check'];
  if (publicPaths.some(p => pathname.startsWith(p))) {
    return NextResponse.next();
  }

  const sessionCookie = request.cookies.get(SESSION_COOKIE_NAME);
  if (!sessionCookie) {
    return NextResponse.redirect(new URL('/login', request.url));
  }

  try {
    const secretKey = process.env.AUTH_SECRET || 'default-secret-change-in-production';
    const key = new TextEncoder().encode(secretKey);
    const { payload } = await jwtVerify(sessionCookie.value, key, {
      algorithms: ['HS256'],
    });

    if (payload.expiresAt && (payload.expiresAt as number) < Date.now()) {
      const response = NextResponse.redirect(new URL('/login', request.url));
      response.cookies.delete(SESSION_COOKIE_NAME);
      return response;
    }

    return NextResponse.next();
  } catch {
    const response = NextResponse.redirect(new URL('/login', request.url));
    response.cookies.delete(SESSION_COOKIE_NAME);
    return response;
  }
}

export const config = {
  matcher: [
    '/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
  ],
};