import { NextRequest, NextResponse } from "next/server";
import { getAuthFromRequest } from "./lib/jwt";

const ADMIN_ONLY_PATHS = ["/admin/users", "/admin/monitor", "/admin/settings"];
const MODERATOR_PATHS = ["/admin/pending"];

function buildLoginRedirect(req: NextRequest) {
  const url = new URL("/auth/login", req.url);
  url.searchParams.set("redirect", req.nextUrl.pathname + req.nextUrl.search);
  return url;
}

export async function middleware(req: NextRequest) {
  const { pathname } = req.nextUrl;
  if (!pathname.startsWith("/admin")) {
    return NextResponse.next();
  }

  const session = await getAuthFromRequest(req);
  if (!session) {
    return NextResponse.redirect(buildLoginRedirect(req));
  }

  const role = session.role;
  const isAdminOnly = ADMIN_ONLY_PATHS.some((p) => pathname.startsWith(p));
  if (isAdminOnly && role !== "ADMIN") {
    return NextResponse.redirect(new URL("/", req.url));
  }

  const isModeratorPath = MODERATOR_PATHS.some((p) => pathname.startsWith(p));
  if (
    isModeratorPath &&
    !(
      role === "ADMIN" ||
      role === "USER_MODERATOR" ||
      role === "LISTING_MODERATOR"
    )
  ) {
    return NextResponse.redirect(new URL("/", req.url));
  }

  return NextResponse.next();
}

export const config = {
  matcher: ["/admin/:path*"],
};