import { getToken } from "next-auth/jwt";
import { NextResponse, type NextRequest } from "next/server";
import { allowedRolesForAdminPath, hasAnyRole } from "@/lib/admin-auth";

export async function proxy(request: NextRequest) {
  const { pathname, search } = request.nextUrl;

  if (!pathname.startsWith("/admin")) {
    return NextResponse.next();
  }

  const token = await getToken({
    req: request,
    secret: process.env.AUTH_SECRET ?? process.env.NEXTAUTH_SECRET,
  });
  const isLoginRoute = pathname === "/admin/login";

  if (!token && !isLoginRoute) {
    const loginUrl = new URL("/admin/login", request.url);
    loginUrl.searchParams.set("callbackUrl", `${pathname}${search}`);
    return NextResponse.redirect(loginUrl);
  }

  if (token && isLoginRoute) {
    return NextResponse.redirect(new URL("/admin", request.url));
  }

  if (token && !isLoginRoute) {
    const allowedRoles = allowedRolesForAdminPath(pathname);
    if (!hasAnyRole(token.role, allowedRoles)) {
      return NextResponse.redirect(new URL("/admin?error=forbidden", request.url));
    }
  }

  return NextResponse.next();
}

export const config = { matcher: ["/admin/:path*"] };