export default defineEventHandler(async (event) => {
  const requestId = Math.random().toString(36).substring(7)
  const startTime = Date.now()
  console.log(`[SESSION:${requestId}] Checking authentication session...`)

  // Check OIDC/Keycloak authentication only
  try {
    const oidcSessionCookie = getCookie(event, 'nuxt-oidc-auth')
    
    if (!oidcSessionCookie) {
      console.log(`[SESSION:${requestId}] No OIDC session cookie found`)
      return { 
        user: null, 
        authenticated: false, 
        groups: [], 
        reason: 'NO_SESSION_COOKIE',
        requestId
      }
    }

    console.log(`[SESSION:${requestId}] OIDC session cookie found, parsing...`)

    let sessionData
    try {
      // Parse the session data
      const parseStart = Date.now()
      sessionData = JSON.parse(oidcSessionCookie)
      const parseTime = Date.now() - parseStart
      
      console.log(`[SESSION:${requestId}] Session data parsed successfully in ${parseTime}ms:`, {
        hasUser: !!sessionData.user,
        hasAccessToken: !!sessionData.accessToken,
        hasIdToken: !!sessionData.idToken,
        expiresAt: sessionData.expiresAt,
        createdAt: sessionData.createdAt,
        timeUntilExpiry: sessionData.expiresAt ? sessionData.expiresAt - Date.now() : 'unknown'
      })
    } catch (parseError) {
      console.error(`[SESSION:${requestId}] Failed to parse session cookie:`, parseError)
      // Clear invalid session
      const cookieDomain = process.env.COOKIE_DOMAIN || '.portnimara.dev';
      deleteCookie(event, 'nuxt-oidc-auth', {
        domain: cookieDomain,
        path: '/'
      })
      return { 
        user: null, 
        authenticated: false, 
        groups: [], 
        reason: 'INVALID_SESSION_FORMAT',
        requestId
      }
    }

    // Validate session structure
    if (!sessionData.user || !sessionData.accessToken) {
      console.error(`[SESSION:${requestId}] Invalid session structure:`, {
        hasUser: !!sessionData.user,
        hasAccessToken: !!sessionData.accessToken
      })
      const cookieDomain = process.env.COOKIE_DOMAIN || '.portnimara.dev';
      deleteCookie(event, 'nuxt-oidc-auth', {
        domain: cookieDomain,
        path: '/'
      })
      return { 
        user: null, 
        authenticated: false, 
        groups: [], 
        reason: 'INVALID_SESSION_STRUCTURE',
        requestId
      }
    }

    // Check if session is still valid
    if (sessionData.expiresAt && Date.now() > sessionData.expiresAt) {
      console.log(`[SESSION:${requestId}] Session expired:`, {
        expiresAt: sessionData.expiresAt,
        currentTime: Date.now(),
        expiredSince: Date.now() - sessionData.expiresAt
      })
      // Session expired, clear cookie
      const cookieDomain = process.env.COOKIE_DOMAIN || '.portnimara.dev';
      deleteCookie(event, 'nuxt-oidc-auth', {
        domain: cookieDomain,
        path: '/'
      })
      return { 
        user: null, 
        authenticated: false, 
        groups: [], 
        reason: 'SESSION_EXPIRED',
        requestId
      }
    }

    // Extract groups from ID token
    let userGroups: string[] = [];
    if (sessionData.idToken) {
      try {
        // Parse JWT payload (base64 decode the middle section)
        const tokenParts = sessionData.idToken.split('.');
        if (tokenParts.length >= 2) {
          const payload = JSON.parse(atob(tokenParts[1]));
          userGroups = payload.groups || [];
          console.log('[SESSION] Groups extracted from token:', userGroups);
        }
      } catch (tokenError) {
        console.error('[SESSION] Failed to parse ID token:', tokenError);
        // Continue without groups - not a fatal error
      }
    }

    // Also check access token for groups as fallback
    if (userGroups.length === 0 && sessionData.accessToken) {
      try {
        const tokenParts = sessionData.accessToken.split('.');
        if (tokenParts.length >= 2) {
          const payload = JSON.parse(atob(tokenParts[1]));
          userGroups = payload.groups || [];
          console.log('[SESSION] Groups extracted from access token:', userGroups);
        }
      } catch (tokenError) {
        console.error('[SESSION] Failed to parse access token:', tokenError);
      }
    }

    // Default group assignment if no groups found
    if (userGroups.length === 0) {
      console.log('[SESSION] No groups found in token, assigning default "user" group');
      userGroups = ['user'];
    }

    console.log('[SESSION] Valid session found for user:', {
      id: sessionData.user.id,
      email: sessionData.user.email,
      username: sessionData.user.username,
      groups: userGroups
    })

    return {
      user: {
        id: sessionData.user.id,
        email: sessionData.user.email,
        username: sessionData.user.username,
        name: sessionData.user.name,
        authMethod: sessionData.user.authMethod || 'keycloak',
        groups: userGroups
      },
      authenticated: true,
      groups: userGroups
    }
  } catch (error) {
    console.error('[SESSION] OIDC session check error:', error)
    // Clear invalid session
    const cookieDomain = process.env.COOKIE_DOMAIN || '.portnimara.dev';
    deleteCookie(event, 'nuxt-oidc-auth', {
      domain: cookieDomain,
      path: '/'
    })
    return { user: null, authenticated: false, groups: [] }
  }
})