import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
import { decryptSessionId } from "@/lib/crypto";
import { prisma } from "@/lib/prisma";

const publicRoutes = ["/login", "/forgot-password", "/reset-password"];

export async function proxy(request: NextRequest) {
  const path = request.nextUrl.pathname;
  const isPublicRoute = publicRoutes.some((r) => path.startsWith(r));

  // Read session cookie directly from request (synchronous in proxy)
  const sessionCookie = request.cookies.get("session")?.value;

  let isAuthenticated = false;

  if (sessionCookie) {
    const sessionId = decryptSessionId(sessionCookie);
    if (sessionId) {
      const session = await prisma.session.findUnique({
        where: { id: sessionId },
      });
      if (session && session.expiresAt > new Date()) {
        isAuthenticated = true;
      }
    }
  }

  // Redirect unauthenticated users away from protected routes
  if (!isAuthenticated && !isPublicRoute) {
    return NextResponse.redirect(new URL("/login", request.url));
  }

  // Redirect authenticated users away from auth pages
  if (isAuthenticated && isPublicRoute) {
    return NextResponse.redirect(new URL("/", request.url));
  }

  return NextResponse.next();
}

export const config = {
  matcher: ["/((?!api|_next/static|_next/image|favicon.ico|.*\\.png$).*)"],
};