import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
  // Protect admin routes
  if (request.nextUrl.pathname.startsWith('/admin') ||
      request.nextUrl.pathname.startsWith('/dashboard') ||
      request.nextUrl.pathname.startsWith('/manage') ||
      request.nextUrl.pathname.startsWith('/control')) {

    const authHeader = request.headers.get('authorization');
    const basicAuth = process.env.ADMIN_BASIC_AUTH;

    if (!basicAuth) {
      return new NextResponse('Admin access not configured', { status: 500 });
    }

    if (!authHeader || !authHeader.startsWith('Basic ')) {
      return new NextResponse('Authentication required', {
        status: 401,
        headers: {
          'WWW-Authenticate': 'Basic realm="Admin Area"',
        },
      });
    }

    const credentials = authHeader.split(' ')[1];
    const [username, password] = Buffer.from(credentials, 'base64').toString().split(':');
    const [expectedUsername, expectedPassword] = basicAuth.split(':');

    if (username !== expectedUsername || password !== expectedPassword) {
      return new NextResponse('Invalid credentials', {
        status: 401,
        headers: {
          'WWW-Authenticate': 'Basic realm="Admin Area"',
        },
      });
    }
  }

  // For all other routes, continue with normal processing
  return NextResponse.next();
}

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - api/email (email API routes)
     * - api/health (health check)
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     * - api/auth (auth API routes - need to be processed)
     */
    '/((?!api/email|api/health|_next/static|_next/image|favicon.ico|api/auth).*)',
  ],
};