import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
import { jwtVerify } from 'jose';

// JWT 密钥（必须通过环境变量配置）
const JWT_SECRET = new TextEncoder().encode(
  process.env.JWT_SECRET || ''
);

// Cookie 名称
const AUTH_COOKIE_NAME = 'lioncode_auth_token';

// 需要登录才能访问的路由
const protectedRoutes = ['/', '/chat', '/settings', '/assistants', '/notes'];

// 公开路由（已登录用户访问会重定向到首页）
const publicRoutes = ['/login', '/register', '/reset-password'];

export async function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl;

  // 忽略 API 路由和静态资源
  if (
    pathname.startsWith('/api/') ||
    pathname.startsWith('/_next/') ||
    pathname.startsWith('/favicon') ||
    pathname.includes('.')
  ) {
    return NextResponse.next();
  }

  // 获取认证 Cookie
  const token = request.cookies.get(AUTH_COOKIE_NAME)?.value;

  // 验证 Token
  let isAuthenticated = false;
  if (token) {
    try {
      await jwtVerify(token, JWT_SECRET);
      isAuthenticated = true;
    } catch {
      // Token 无效或过期
      isAuthenticated = false;
    }
  }

  // 检查是否是受保护的路由
  const isProtectedRoute = protectedRoutes.some(
    (route) => pathname === route || pathname.startsWith(`${route}/`)
  );

  // 检查是否是公开路由
  const isPublicRoute = publicRoutes.some(
    (route) => pathname === route || pathname.startsWith(`${route}/`)
  );

  // 未登录用户访问受保护路由 -> 重定向到登录页
  if (isProtectedRoute && !isAuthenticated) {
    const loginUrl = new URL('/login', request.url);
    loginUrl.searchParams.set('redirect', pathname);
    return NextResponse.redirect(loginUrl);
  }

  // 已登录用户访问公开路由 -> 重定向到首页
  if (isPublicRoute && isAuthenticated) {
    return NextResponse.redirect(new URL('/', request.url));
  }

  return NextResponse.next();
}

// 配置匹配的路由
export const config = {
  matcher: [
    /*
     * 匹配所有路径除了:
     * - api (API routes)
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     */
    '/((?!api|_next/static|_next/image|favicon.ico).*)',
  ],
};