import { NextRequest, NextResponse } from 'next/server'
import { verifyToken, Role, TokenPayload } from './auth'

export interface AuthenticatedRequest extends NextRequest {
  user?: TokenPayload
}

export async function getAuthUser(request: NextRequest): Promise<TokenPayload | null> {
  const authHeader = request.headers.get('Authorization')
  if (!authHeader?.startsWith('Bearer ')) return null
  const token = authHeader.substring(7)
  return verifyToken(token)
}

export function requireAuth(roles?: Role[]) {
  return async (
    request: NextRequest
  ): Promise<{ user: TokenPayload } | { error: NextResponse }> => {
    const user = await getAuthUser(request)
    if (!user) {
      return {
        error: NextResponse.json({ error: 'No autorizado' }, { status: 401 }),
      }
    }
    if (roles && !roles.includes(user.role)) {
      return {
        error: NextResponse.json({ error: 'Acceso denegado' }, { status: 403 }),
      }
    }
    return { user }
  }
}
