export default defineNuxtRouteMiddleware(async (to) => {
  // Skip auth for SSR
  if (import.meta.server) return;

  // Check if auth is required (default true unless explicitly set to false)
  const isAuthRequired = to.meta.auth !== false;
  
  if (!isAuthRequired) {
    return;
  }

  try {
    // Check Directus auth first
    const { fetchUser, setUser } = useDirectusAuth();
    const directusUser = useDirectusUser();
    
    if (!directusUser.value) {
      try {
        const user = await fetchUser();
        setUser(user.value);
      } catch (error) {
        // Directus auth failed, continue to check OIDC
      }
    }

    if (directusUser.value) {
      // User authenticated with Directus
      return;
    }

    // Check OIDC auth (Keycloak)
    const { user: oidcUser, loggedIn } = useOidcAuth();
    
    if (loggedIn.value && oidcUser.value) {
      // User authenticated with Keycloak via OIDC
      return;
    }

    // No authentication found, redirect to login
    return navigateTo('/login');
    
  } catch (error) {
    console.error('Auth middleware error:', error);
    return navigateTo('/login');
  }
});