// Authentication utilities for API routes - Updated for cookie-based auth
export const requireAuth = async (event) => {
  const config = useRuntimeConfig();
  
  // Check for auth_token in cookies (Authentik sends via cookies)
  const authToken = getCookie(event, 'auth_token');
  
  if (!authToken) {
    console.error('❌ No auth_token cookie found');
    throw createError({
      statusCode: 401,
      message: 'No authentication token provided'
    });
  }

  try {
    // Decode JWT token locally (no API call needed since token contains all user info)
    console.log('🔐 Decoding JWT token...');
    
    // Simple JWT decode (split and base64 decode the payload)
    const tokenParts = authToken.split('.');
    if (tokenParts.length !== 3) {
      throw new Error('Invalid JWT format');
    }
    
    // Decode the payload (second part of JWT)
    const payload = JSON.parse(Buffer.from(tokenParts[1], 'base64').toString());
    
    // Check if token is expired
    const now = Math.floor(Date.now() / 1000);
    if (payload.exp && payload.exp < now) {
      throw new Error('Token has expired');
    }
    
    // Extract user information from JWT payload
    const userInfo = {
      sub: payload.sub,
      email: payload.email,
      email_verified: payload.email_verified,
      name: payload.name,
      given_name: payload.given_name,
      preferred_username: payload.preferred_username,
      nickname: payload.nickname,
      groups: payload.groups || [],
      uid: payload.uid
    };

    console.log('✅ Authentication successful for user:', userInfo.preferred_username);
    
    // Add user info to event context
    event.context.auth = userInfo;
    event.context.authToken = authToken;
    
    return userInfo;
    
  } catch (error) {
    console.error('❌ Token verification failed:', error.message);
    throw createError({
      statusCode: 401,
      message: 'Invalid or expired authentication token'
    });
  }
};

// Optional: Get current user from context (after requireAuth is called)
export const getCurrentUser = (event) => {
  return event.context.auth;
};

// Optional: Check if user has specific permissions
export const hasPermission = (event, permission) => {
  const user = getCurrentUser(event);
  if (!user || !user.permissions) return false;
  return user.permissions.includes(permission);
};