/**
 * Check if the request is authenticated via either:
 * 1. x-tag header (for webhooks/external calls)
 * 2. Directus token (for Directus authenticated users)
 * 3. OIDC session (for Keycloak authenticated users)
 */
export const isAuthenticated = async (event: any): Promise<boolean> => {
  // Check x-tag header authentication (existing method)
  const xTagHeader = getRequestHeader(event, "x-tag");
  if (xTagHeader && (xTagHeader === "094ut234" || xTagHeader === "pjnvü1230")) {
    console.log('[auth] Authenticated via x-tag header');
    return true;
  }

  // Check Directus token authentication
  try {
    const directusToken = getCookie(event, 'directus_token');
    if (directusToken) {
      // Validate Directus token is not expired
      const directusExpiry = getCookie(event, 'directus_token_expired_at');
      if (directusExpiry) {
        const expiryTime = parseInt(directusExpiry);
        if (Date.now() < expiryTime) {
          console.log('[auth] Authenticated via Directus token');
          return true;
        } else {
          console.log('[auth] Directus token expired');
        }
      } else {
        // If no expiry cookie, assume token is valid
        console.log('[auth] Authenticated via Directus token (no expiry check)');
        return true;
      }
    }
  } catch (error) {
    console.log('[auth] Directus token check failed:', error);
  }

  // Check OIDC session authentication
  try {
    const oidcSession = getCookie(event, 'nuxt-oidc-auth');
    if (oidcSession) {
      // Note: OIDC session might be encrypted, we'll validate it properly in session endpoint
      console.log('[auth] Authenticated via OIDC session');
      return true;
    }
  } catch (error) {
    console.log('[auth] OIDC session check failed:', error);
  }

  console.log('[auth] No valid authentication found');
  return false;
}

export const requireAuth = async (event: any) => {
  const authenticated = await isAuthenticated(event);
  if (!authenticated) {
    console.log('[requireAuth] Authentication failed for:', event.node.req.url);
    console.log('[requireAuth] Available headers:', Object.keys(event.node.req.headers));
    console.log('[requireAuth] Available cookies:', Object.keys(event.node.req.headers.cookie ? parseCookies(event.node.req.headers.cookie) : {}));
    throw createError({ 
      statusCode: 401, 
      statusMessage: "Authentication required. Please provide x-tag header or valid session." 
    });
  }
}

function parseCookies(cookieString: string): Record<string, string> {
  return cookieString.split(';').reduce((cookies: Record<string, string>, cookie) => {
    const [name, value] = cookie.trim().split('=');
    if (name && value) {
      cookies[name] = value;
    }
    return cookies;
  }, {});
}