import { auth } from "@/auth";
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";

async function handler(req: NextRequest) {
  // Forward pathname so server components (layout) can read it via headers()
  const reqHeaders = new Headers(req.headers);
  reqHeaders.set("x-pathname", req.nextUrl.pathname);

  const session = await auth();
  const { pathname } = req.nextUrl;
  const isLoggedIn = !!session?.user;
  const role = session?.user?.role;
  const modules: string[] = session?.user?.modules ?? [];
  const isPrivilegedAdmin = role === "admin" || role === "super_admin";

  // ── Admin routes — admin role only ─────────────────────────────────
  if (pathname.startsWith("/admin")) {
    if (!isLoggedIn || role !== "admin") {
      return NextResponse.redirect(new URL("/login?next=/admin", req.url));
    }
    return NextResponse.next({ request: { headers: reqHeaders } });
  }

  // ── Dashboard — any authenticated user ────────────────────────────
  if (pathname.startsWith("/dashboard")) {
    if (!isLoggedIn) {
      return NextResponse.redirect(new URL(`/login?next=${encodeURIComponent(pathname)}`, req.url));
    }
    return NextResponse.next({ request: { headers: reqHeaders } });
  }

  // ── Academician module — full journal content & write ─────────────
  if (
    pathname.startsWith("/journal/new") ||
    (pathname.startsWith("/journal/") && pathname.split("/").length > 2)
  ) {
    if (!isLoggedIn) {
      return NextResponse.redirect(new URL("/login?next=" + encodeURIComponent(pathname), req.url));
    }
    if (!isPrivilegedAdmin && !modules.includes("academician")) {
      return NextResponse.redirect(new URL("/subscribe?required=academician", req.url));
    }
    return NextResponse.next({ request: { headers: reqHeaders } });
  }

  // ── Academician module — scholarship detail ────────────────────────
  if (pathname.match(/^\/scholarships\/[^/]+$/)) {
    if (!isLoggedIn) {
      return NextResponse.redirect(new URL("/login?next=" + encodeURIComponent(pathname), req.url));
    }
    if (!isPrivilegedAdmin && !modules.includes("academician")) {
      return NextResponse.redirect(new URL("/subscribe?required=academician", req.url));
    }
    return NextResponse.next({ request: { headers: reqHeaders } });
  }

  // ── Job Seeker module — job apply ─────────────────────────────────
  if (pathname.includes("/apply")) {
    if (!isLoggedIn) {
      return NextResponse.redirect(new URL("/login?next=" + encodeURIComponent(pathname), req.url));
    }
    if (!isPrivilegedAdmin && !modules.includes("job_seeker")) {
      return NextResponse.redirect(new URL("/subscribe?required=job_seeker", req.url));
    }
    return NextResponse.next({ request: { headers: reqHeaders } });
  }

  // ── Subscribe page — must be logged in ───────────────────────────
  if (pathname.startsWith("/subscribe")) {
    if (!isLoggedIn) {
      return NextResponse.redirect(new URL("/login?next=/subscribe", req.url));
    }
    return NextResponse.next({ request: { headers: reqHeaders } });
  }

  // ── Redirect logged-in users away from login/register ────────────
  if ((pathname === "/login" || pathname === "/register") && isLoggedIn) {
    return NextResponse.redirect(new URL("/dashboard", req.url));
  }

  return NextResponse.next({ request: { headers: reqHeaders } });
}

export const proxy = handler;

export const config = {
  matcher: [
    "/((?!api/auth|api/webhooks|api/tester-auth|_next/static|_next/image|favicon.ico|images|icons|fonts).*)",
  ],
};