import { type NextRequest, NextResponse } from "next/server";

import { gatewayUrl } from "@/lib/api/gateway";
import { getAccessToken } from "@/lib/auth/session";
import { decodeJwt } from "@/lib/auth/jwt";

export const dynamic = "force-dynamic";

/**
 * Generic admin proxy: forwards GET/POST/PUT/DELETE for any admin resource to the V2
 * gateway under /v1/<path>, attaching the admin's bearer token. Admin-gated server-side.
 *
 *   /api/admin/resource/categories          → /v1/categories
 *   /api/admin/resource/categories/<id>     → /v1/categories/<id>
 *   /api/admin/resource/users?page=1        → /v1/users?page=1
 *
 * Query string is preserved.
 */
async function forward(
  req: NextRequest,
  path: string[],
  method: "GET" | "POST" | "PUT" | "DELETE"
): Promise<NextResponse> {
  const token = await getAccessToken();
  if (!token) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });

  const claims = decodeJwt(token);
  const isAdmin =
    String(claims?.is_admin) === "true" ||
    claims?.is_admin === true ||
    String(claims?.is_tenant_admin) === "true";
  if (!isAdmin) return NextResponse.json({ error: "Forbidden" }, { status: 403 });

  const search = req.nextUrl.search ?? "";
  // Trailing slash on the collection root avoids the gateway's 307 redirect.
  const joined = path.join("/");
  const gwPath = `/v1/${joined}${path.length === 1 && method === "GET" ? "/" : ""}${search}`;

  let body: string | undefined;
  if (method === "POST" || method === "PUT") {
    const json = await req.json().catch(() => ({}));
    body = JSON.stringify(json);
  }

  const res = await fetch(gatewayUrl(gwPath), {
    method,
    cache: "no-store",
    headers: {
      Accept: "application/json",
      "Content-Type": "application/json",
      Authorization: `Bearer ${token}`,
    },
    body,
    redirect: "follow",
  });

  const text = await res.text();
  const data = text ? safeJson(text) : null;
  if (!res.ok) {
    const errObj = data?.error;
    const message =
      (typeof errObj === "object" && errObj?.message) ||
      (typeof errObj === "string" ? errObj : undefined) ||
      data?.message ||
      "Gateway error";
    return NextResponse.json({ error: message }, { status: res.status });
  }
  return NextResponse.json(data ?? {}, { status: 200 });
}

interface GatewayResponse {
  error?: { message?: string } | string;
  message?: string;
  [key: string]: unknown;
}

function safeJson(t: string): GatewayResponse | null {
  try {
    return JSON.parse(t) as GatewayResponse;
  } catch {
    return null;
  }
}

export async function GET(req: NextRequest, ctx: { params: { path: string[] } }) {
  return forward(req, ctx.params.path, "GET");
}
export async function POST(req: NextRequest, ctx: { params: { path: string[] } }) {
  return forward(req, ctx.params.path, "POST");
}
export async function PUT(req: NextRequest, ctx: { params: { path: string[] } }) {
  return forward(req, ctx.params.path, "PUT");
}
export async function DELETE(req: NextRequest, ctx: { params: { path: string[] } }) {
  return forward(req, ctx.params.path, "DELETE");
}