import { NextRequest, NextResponse } from 'next/server';
import { verifySessionToken } from '@/lib/auth';

export async function POST(request: NextRequest) {
  try {
    const { sessionToken, csrfToken } = await request.json();

    if (!sessionToken) {
      return new NextResponse(
        JSON.stringify({ valid: false, error: 'No session token provided' }),
        { status: 400, headers: { 'Content-Type': 'application/json' } }
      );
    }

    // CSRF Protection
    const expectedCSRF = request.headers.get('x-csrf-token');
    if (!csrfToken || !expectedCSRF || csrfToken !== expectedCSRF) {
      return new NextResponse(
        JSON.stringify({ valid: false, error: 'CSRF token validation failed' }),
        { status: 403, headers: { 'Content-Type': 'application/json' } }
      );
    }

    const valid = verifySessionToken(request, sessionToken);
    if (!valid) {
      return new NextResponse(
        JSON.stringify({ valid: false, error: 'Session expired or invalid' }),
        { status: 401, headers: { 'Content-Type': 'application/json' } }
      );
    }

    return new NextResponse(
      JSON.stringify({ valid: true, message: 'Session valid' }),
      {
        status: 200,
        headers: {
          'Content-Type': 'application/json',
          'X-Content-Type-Options': 'nosniff',
          'X-Frame-Options': 'DENY',
          'X-XSS-Protection': '1; mode=block'
        }
      }
    );
  } catch {
    return new NextResponse(
      JSON.stringify({ valid: false, error: 'Internal server error' }),
      { status: 500, headers: { 'Content-Type': 'application/json' } }
    );
  }
}