/*
 * Authentication middleware for protecting routes.
 * 
 * Provides middleware functions to:
 * - requireAdminAuth - Protect admin-only routes
 * - requireUserAuth - Protect user-only routes
 * - requireAnyAuth - Protect routes requiring any authenticated user
 */

import { validateSession } from '../services/authService.js';

/**
 * Extract auth token from request (cookie or Authorization header).
 */
function getAuthToken(req) {
  return req.cookies?.auth_token || req.headers.authorization?.replace('Bearer ', '') || null;
}

/*
 * Determine whether a request originates from API/JSON consumers. This decides
 * whether an unauthenticated request should receive a `401` JSON body (for
 * XHR/fetch callers) or a redirect to the appropriate login page (for browser
 * navigation). `req.originalUrl` is used instead of `req.path` so the check
 * also works when this middleware runs behind a `Router` mount point.
 */
function isApiRequest(req) {
  return (
    req.originalUrl?.startsWith('/api/') ||
    req.xhr ||
    req.headers.accept?.includes('application/json')
  );
}

/**
 * Middleware to require admin authentication.
 * Redirects to login page for HTML requests, returns 401 for API requests.
 */
export function requireAdminAuth(req, res, next) {
  const token = getAuthToken(req);
  const session = token ? validateSession(token) : null;

  if (!session || session.type !== 'admin') {
    if (isApiRequest(req)) {
      return res.status(401).json({ message: 'Admin authentication required.' });
    }

    /* Redirect to admin login page */
    return res.redirect('/login-admin');
  }

  req.session = session;
  next();
}

/**
 * Middleware to require user authentication.
 * Redirects to login page for HTML requests, returns 401 for API requests.
 */
export function requireUserAuth(req, res, next) {
  const token = getAuthToken(req);
  const session = token ? validateSession(token) : null;

  if (!session || session.type !== 'user') {
    if (isApiRequest(req)) {
      return res.status(401).json({ message: 'User authentication required.' });
    }

    /* Redirect to user login page */
    return res.redirect('/login-user');
  }

  req.session = session;
  next();
}

/**
 * Middleware to require any authentication (admin or user).
 */
export function requireAnyAuth(req, res, next) {
  const token = getAuthToken(req);
  const session = token ? validateSession(token) : null;

  if (!session) {
    if (isApiRequest(req)) {
      return res.status(401).json({ message: 'Authentication required.' });
    }

    return res.redirect('/');
  }

  req.session = session;
  next();
}