export default defineNuxtRouteMiddleware(async (to) => {
  // Skip auth for SSR
  if (import.meta.server) return;

  // Check if auth is required (default true unless explicitly set to false)
  const isAuthRequired = to.meta.auth !== false;
  
  if (!isAuthRequired) {
    console.log('[MIDDLEWARE] Auth not required for route:', to.path);
    return;
  }

  console.log('[MIDDLEWARE] Checking authentication for route:', to.path);

  try {
    // Check Keycloak authentication via session API
    const sessionData = await $fetch('/api/auth/session') as any;
    
    console.log('[MIDDLEWARE] Session check result:', {
      authenticated: sessionData.authenticated,
      hasUser: !!sessionData.user,
      userId: sessionData.user?.id
    });

    if (sessionData.authenticated && sessionData.user) {
      console.log('[MIDDLEWARE] User authenticated, allowing access');
      return;
    }

    console.log('[MIDDLEWARE] No valid authentication found, redirecting to login');
    return navigateTo('/login');
    
  } catch (error) {
    console.error('[MIDDLEWARE] Auth check failed:', error);
    return navigateTo('/login');
  }
});