import { NextRequest, NextResponse } from 'next/server';
import { getAuthFromRequest } from './lib/jwt';

const ADMIN_ONLY_PATHS = ['/admin/users', '/admin/monitor'];
const MODERATOR_PATHS = ['/admin/pending'];

function buildLoginRedirect(req: NextRequest) {
  const url = new URL('/auth/login', req.url);
  url.searchParams.set('redirect', req.nextUrl.pathname + req.nextUrl.search);
  return url;
}

export async function middleware(req: NextRequest) {
  const { pathname } = req.nextUrl;
  if (!pathname.startsWith('/admin')) {
    return NextResponse.next();
  }

  const session = await getAuthFromRequest(req);
  if (!session) {
    return NextResponse.redirect(buildLoginRedirect(req));
  }

  const role = session.role;
  const isAdminOnly = ADMIN_ONLY_PATHS.some((p) => pathname.startsWith(p));
  if (isAdminOnly && role !== 'ADMIN') {
    return NextResponse.redirect(new URL('/', req.url));
  }

  const isModeratorPath = MODERATOR_PATHS.some((p) => pathname.startsWith(p));
  if (isModeratorPath && !(role === 'ADMIN' || role === 'USER_MODERATOR' || role === 'LISTING_MODERATOR')) {
    return NextResponse.redirect(new URL('/', req.url));
  }

  return NextResponse.next();
}

export const config = {
  matcher: ['/admin/:path*'],
};