import { getToken } from "next-auth/jwt";
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";

export async function proxy(req: NextRequest) {
  const token = await getToken({ req, secret: process.env.NEXTAUTH_SECRET });
  const { pathname } = req.nextUrl;

  const authPages = ["/login", "/register"];
  const protectedPages = [
    "/dashboard",
    "/dashboard/employees",
    "/dashboard/attendance",
    "/dashboard/leaves",
    "/dashboard/biometrics",
    "/dashboard/settings"
  ];

  const isAuthPage = authPages.includes(pathname);
  const isProtectedPage = protectedPages.includes(pathname);

  // Check if token is expired
  const isTokenExpired = token && token.tokenExpiry && Date.now() > token.tokenExpiry;

  // If token is expired or invalid, treat as no token
  const hasValidToken = token && !isTokenExpired && token.accessToken;

  if (isAuthPage && hasValidToken) {
    return NextResponse.redirect(new URL("/", req.url));
  }

  if (isProtectedPage && !hasValidToken) {
    const loginUrl = new URL("/login", req.url);
    loginUrl.searchParams.set("redirected", "true");
    loginUrl.searchParams.set("ts", Date.now().toString());
    return NextResponse.redirect(loginUrl);
  }

  return NextResponse.next();
}

export const config = {
  matcher: [
    "/((?!api|_next/static|_next/image|favicon.ico).*)",
  ],
};