/**
 * GET /api/auth/theia-check
 *
 * Traefik ForwardAuth endpoint for theia.vibnai.com.
 *
 * Traefik calls this URL for every request to the Theia IDE, forwarding
 * the user's Cookie header via authRequestHeaders. We validate the
 * NextAuth session token and return:
 *   200  — session valid, Traefik lets the request through
 *   302  — no session, redirect browser to Vibn login
 */

import { NextRequest, NextResponse } from 'next/server';
import { getToken } from 'next-auth/jwt';

const APP_URL = process.env.NEXTAUTH_URL ?? 'https://vibnai.com';
const THEIA_URL = 'https://theia.vibnai.com';

export async function GET(request: NextRequest) {
  let token: Awaited<ReturnType<typeof getToken>> = null;

  try {
    token = await getToken({
      req: request,
      secret: process.env.NEXTAUTH_SECRET,
    });
  } catch {
    // If token validation throws, treat as unauthenticated
  }

  if (!token) {
    // Build a callbackUrl so after login the user lands back in Theia
    const forwardedHost = request.headers.get('x-forwarded-host');
    const forwardedProto = request.headers.get('x-forwarded-proto') ?? 'https';
    const forwardedUri = request.headers.get('x-forwarded-uri') ?? '/';

    const destination = forwardedHost
      ? `${forwardedProto}://${forwardedHost}${forwardedUri}`
      : THEIA_URL;

    const loginUrl = `${APP_URL}/auth?callbackUrl=${encodeURIComponent(destination)}`;

    return NextResponse.redirect(loginUrl, { status: 302 });
  }

  // Session is valid — pass user identity to Theia via response headers
  // (Traefik forwards these to the upstream if authResponseHeaders is set)
  return new NextResponse(null, {
    status: 200,
    headers: {
      'X-Auth-User': token.sub ?? '',
      'X-Auth-Email': (token.email as string) ?? '',
      'X-Auth-Name': (token.name as string) ?? '',
    },
  });
}