import { auth } from "@/lib/auth";

export default auth((req) => {
	const { pathname } = req.nextUrl;

	// Allow access to auth pages
	if (pathname.startsWith("/auth/")) {
		return;
	}

	// Allow access to API routes (they handle their own auth)
	if (pathname.startsWith("/api/")) {
		return;
	}

	// Require authentication for all other pages
	if (!req.auth) {
		const url = new URL("/auth/signin", req.url);
		url.searchParams.set("callbackUrl", req.nextUrl.pathname);
		return Response.redirect(url);
	}

	// Check admin routes (role check only, no database access)
	if (pathname.startsWith("/admin/")) {
		if (!["admin", "project_manager"].includes(req.auth.user.role)) {
			return Response.redirect(new URL("/", req.url));
		}
	}
});

export const config = {
	matcher: [
		/*
		 * Match all request paths except for the ones starting with:
		 * - api (all API routes handle their own auth)
		 * - _next/static (static files)
		 * - _next/image (image optimization files)
		 * - favicon.ico (favicon file)
		 * - auth pages (auth pages should be accessible)
		 */
		"/((?!api|_next/static|_next/image|favicon.ico|auth).*)",
	],
};