// middleware/authMiddleware.js
// Middleware to protect routes by verifying JWT

const jwt = require('jsonwebtoken');
require('dotenv').config();

const JWT_SECRET = process.env.JWT_SECRET;

// Security measure - add token expiration check
const tokenIsExpired = (exp) => {
  const currentTime = Math.floor(Date.now() / 1000);
  return exp < currentTime;
};

const authenticateToken = (req, res, next) => {
  // Get token from the 'token' cookie
  const token = req.cookies.token;

  // Enhanced debug logging
  console.log('Auth Request:', {
    path: req.path,
    method: req.method,
    contentType: req.headers['content-type'],
    accept: req.headers.accept,
    hasToken: !!token, // Log if token exists (true/false)
    cookies: Object.keys(req.cookies) // Log all cookie names
  });

  // More precise API request detection - already good
  const isApiRequest = req.path.startsWith('/api/') || 
                       req.xhr || 
                       (req.headers['content-type'] && req.headers['content-type'].includes('application/json')) ||
                       (req.headers.accept && req.headers.accept.includes('application/json'));
  
  // If no token is present, deny access
  if (!token) {
    console.log('No token found, request is API?', isApiRequest);
    // If the request is for an API endpoint, return 401 Unauthorized
    if (isApiRequest) {
        return res.status(401).json({ message: 'Zugriff verweigert. Nicht authentifiziert.' });
    }
    // Otherwise, redirect to the login page
    return res.redirect('/login');
  }

  // Verify the token with better error reporting
  jwt.verify(token, JWT_SECRET, (err, user) => {
    if (err) {
      console.error('JWT Verification Error:', err.message, err.name);
      res.clearCookie('token');
      
      if (err.name === 'TokenExpiredError') {
        if (isApiRequest) {
          return res.status(401).json({ message: 'Sitzung abgelaufen. Bitte melden Sie sich erneut an.' });
        }
        return res.redirect('/login?expired=true');
      }
      
      if (isApiRequest) {
        return res.status(403).json({ message: 'Token ungültig oder abgelaufen.' });
      }
      return res.redirect('/login');
    }

    // Additional check for token expiration as a security measure
    if (user.exp && tokenIsExpired(user.exp)) {
      console.warn('Token expired but not caught by jwt.verify');
      res.clearCookie('token');
      if (isApiRequest) {
        return res.status(401).json({ message: 'Sitzung abgelaufen. Bitte melden Sie sich erneut an.' });
      }
      return res.redirect('/login?expired=true');
    }

    // If token is valid, attach the decoded user information (payload) to the request object
    req.user = user;
    // Add debug logging for successful auth
    console.log('Authentication successful for user:', user.username, 'user ID:', user.id);
    next();
  });
};

module.exports = authenticateToken;