import { auth } from "@/auth";
import { NextResponse } from "next/server";

export default auth((req) => {
  const isLoggedIn = !!req.auth;
  const pathname = req.nextUrl.pathname;

  // Always allow auth API routes
  if (pathname.startsWith("/api/auth")) return;

  // Allow client review portal with token (no auth needed)
  if (pathname.startsWith("/client/")) return;

  // Allow token-gated client API routes (comments, approvals via review token)
  if (pathname.startsWith("/api/client/")) return;

  // Allow local file serving (needed for video playback in client portal)
  if (pathname.startsWith("/api/files/")) return;

  // Allow upload webhook endpoints
  if (pathname.startsWith("/api/uploadthing")) return;

  // Redirect logged-in users away from login page
  if (pathname === "/login" && isLoggedIn) {
    return NextResponse.redirect(new URL("/dashboard", req.url));
  }

  // Force password change: redirect to /settings until they set a new password
  if (isLoggedIn && req.auth?.user?.mustChangePassword && pathname !== "/settings" && !pathname.startsWith("/api/") && !pathname.startsWith("/_next/")) {
    return NextResponse.redirect(new URL("/settings", req.url));
  }

  // Redirect unauthenticated users to login
  if (!isLoggedIn && pathname !== "/login") {
    const loginUrl = new URL("/login", req.url);
    loginUrl.searchParams.set("callbackUrl", pathname);
    return NextResponse.redirect(loginUrl);
  }
});

export const config = {
  matcher: [
    "/((?!_next/static|_next/image|favicon.ico|public|placeholder).*)",
  ],
};