import { NextRequest } from 'next/server';
import { verify } from 'jsonwebtoken';
import { prisma } from '@/lib/db';

const JWT_SECRET = process.env.JWT_SECRET || 'fallback-secret-key';

export interface AdminUser {
  id: string;
  email: string;
  name: string | null;
  role: string;
}

export async function verifyAdminAuth(request: NextRequest): Promise<AdminUser | null> {
  try {
    const authHeader = request.headers.get('authorization');
    if (!authHeader?.startsWith('Bearer ')) {
      return null;
    }

    const token = authHeader.substring(7);

    let payload: any;
    try {
      payload = verify(token, JWT_SECRET);
    } catch (error) {
      return null;
    }

    if (!payload.userId) {
      return null;
    }

    const user = await prisma.user.findUnique({
      where: {
        id: payload.userId,
        role: { in: ['admin', 'moderator'] }
      },
      select: {
        id: true,
        email: true,
        name: true,
        role: true
      }
    });

    if (!user) {
      return null;
    }

    return user;
  } catch (error) {
    console.error('Error verifying admin auth:', error);
    return null;
  }
}

export function hasAdminAccess(user: AdminUser | null): boolean {
  return user?.role === 'admin' || user?.role === 'moderator';
}

export function isSuperAdmin(user: AdminUser | null): boolean {
  return user?.role === 'admin';
}