import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

/**
 * Middleware to protect /space routes.
 *
 * Client-side auth enforcement: the space page itself checks auth state via
 * Zustand store. This middleware adds a cookie-based check for server-rendered
 * requests — if no encryptid_token cookie is present on /space, redirect to
 * the home page with a login hint.
 *
 * Note: Since rfunds uses client-side Zustand persistence (localStorage),
 * the primary auth gate is in the SpacePage component itself. This middleware
 * serves as an additional layer for direct URL access.
 */
export function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl

  // Only protect /space routes (not /tbff which is a public demo)
  if (pathname.startsWith('/space')) {
    // Check for auth token in cookie (set by client after login)
    const token = request.cookies.get('encryptid_token')?.value

    // Also check Authorization header for API-style access
    const authHeader = request.headers.get('authorization')
    const bearerToken = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null

    if (!token && !bearerToken) {
      // No auth — redirect to home with login hint
      // The client-side auth store is the primary gate, but this catches
      // direct navigation before hydration
      const url = request.nextUrl.clone()
      url.pathname = '/'
      url.searchParams.set('login', 'required')
      url.searchParams.set('return', pathname)
      return NextResponse.redirect(url)
    }
  }

  return NextResponse.next()
}

export const config = {
  matcher: ['/space/:path*'],
}