import { NextRequest, NextResponse } from 'next/server'
import jwt from 'jsonwebtoken'

// Simple in-memory session store (in production, use Redis or database)
const sessions = new Map<string, { userId: string; expires: number }>()

const JWT_SECRET = process.env.JWT_SECRET || 'your-super-secret-jwt-key-change-in-production'
const ADMIN_PASSWORD = process.env.ADMIN_PASSWORD || 'admin123' // Change this!

export interface AdminUser {
  id: string
  username: string
  role: 'admin'
}

export function verifyPassword(password: string): boolean {
  return password === ADMIN_PASSWORD
}

export function generateToken(user: AdminUser): string {
  return jwt.sign(
    { userId: user.id, username: user.username, role: user.role },
    JWT_SECRET,
    { expiresIn: '24h' }
  )
}

export function verifyToken(token: string): AdminUser | null {
  try {
    const decoded = jwt.verify(token, JWT_SECRET) as any
    return {
      id: decoded.userId,
      username: decoded.username,
      role: decoded.role,
    }
  } catch (error) {
    return null
  }
}

export function setAuthCookie(response: NextResponse, token: string): void {
  response.cookies.set('admin_token', token, {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'strict',
    maxAge: 24 * 60 * 60, // 24 hours
    path: '/',
  })
}

export function clearAuthCookie(response: NextResponse): void {
  response.cookies.set('admin_token', '', {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'strict',
    maxAge: 0,
    path: '/',
  })
}

export function getUserFromRequest(request: NextRequest): AdminUser | null {
  const token = request.cookies.get('admin_token')?.value
  if (!token) return null

  return verifyToken(token)
}

export function requireAuth(request: NextRequest): { user: AdminUser } | { redirect: NextResponse } {
  const user = getUserFromRequest(request)

  if (!user) {
    const loginUrl = new URL('/admin/login', request.url)
    loginUrl.searchParams.set('redirect', request.nextUrl.pathname)
    return { redirect: NextResponse.redirect(loginUrl) }
  }

  return { user }
}

// Middleware function for protecting admin routes
export function withAuth(handler: (request: NextRequest, user: AdminUser, params?: any) => Promise<NextResponse>) {
  return async (request: NextRequest, params?: any): Promise<NextResponse> => {
    const authResult = requireAuth(request)

    if ('redirect' in authResult) {
      return authResult.redirect
    }

    return handler(request, authResult.user, params)
  }
}