/**
 * GET /api/theia-auth
 *
 * Traefik ForwardAuth endpoint for theia.vibnai.com.
 *
 * Traefik calls this URL for every request to the Theia IDE, forwarding
 * the user's Cookie header via authRequestHeaders. We validate the
 * NextAuth session and return:
 *   200  — session valid, Traefik lets the request through
 *   302  — no session, redirect browser to Vibn login
 */

import { NextRequest, NextResponse } from 'next/server';
import { getServerSession } from 'next-auth';
import { authOptions } from '@/lib/auth/authOptions';

const APP_URL = process.env.NEXTAUTH_URL ?? 'https://vibnai.com';
const THEIA_URL = 'https://theia.vibnai.com';

export async function GET(request: NextRequest) {
  let session: Awaited<ReturnType<typeof getServerSession>> = null;

  try {
    session = await getServerSession(authOptions);
  } catch {
    // Treat any session-validation errors as unauthenticated
  }

  if (!session?.user) {
    // Build a callbackUrl so the user lands back in Theia after login
    const forwardedHost = request.headers.get('x-forwarded-host');
    const forwardedProto = request.headers.get('x-forwarded-proto') ?? 'https';
    const forwardedUri = request.headers.get('x-forwarded-uri') ?? '/';

    const destination = forwardedHost
      ? `${forwardedProto}://${forwardedHost}${forwardedUri}`
      : THEIA_URL;

    const loginUrl = `${APP_URL}/auth?callbackUrl=${encodeURIComponent(destination)}`;

    return NextResponse.redirect(loginUrl, { status: 302 });
  }

  // Session is valid — forward user identity to Theia via response headers
  return new NextResponse(null, {
    status: 200,
    headers: {
      'X-Auth-Email': session.user.email ?? '',
      'X-Auth-Name': session.user.name ?? '',
    },
  });
}