// Authentication utilities for API routes
export const requireAuth = async (event) => {
  const config = useRuntimeConfig();
  
  const authHeader = getHeader(event, 'Authorization');
  
  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    throw createError({
      statusCode: 401,
      message: 'No token provided'
    });
  }

  // Extract the token without the 'Bearer ' prefix
  const token = authHeader.split(' ')[1];

  try {
    // Verify token with Authentik
    const response = await $fetch(`${config.public.authentikUrl}/api/v3/core/tokens/verify/`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${token}`
      }
    });

    // Add user info to event context
    event.context.auth = response;
    return response;
    
  } catch (error) {
    console.error('Token verification error:', error);
    throw createError({
      statusCode: 401,
      message: 'Invalid or expired token'
    });
  }
};

// Optional: Get current user from context (after requireAuth is called)
export const getCurrentUser = (event) => {
  return event.context.auth;
};

// Optional: Check if user has specific permissions
export const hasPermission = (event, permission) => {
  const user = getCurrentUser(event);
  if (!user || !user.permissions) return false;
  return user.permissions.includes(permission);
};