import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
import { verifySessionAuth } from '@/lib/auth';

export function middleware(request: NextRequest) {
  // For /manage and /editor routes, require authentication
  if (request.nextUrl.pathname.startsWith('/manage') ||
      request.nextUrl.pathname.startsWith('/editor')) {
    // Check for session authentication
    if (!verifySessionAuth(request)) {
      // Redirect to home page if not authenticated
      const url = request.nextUrl.clone();
      url.pathname = '/';
      return NextResponse.redirect(url);
    }
  }

  // Add security headers to all responses
  const response = NextResponse.next();
  
  // Security headers (complementing next.config.ts headers)
  response.headers.set('X-DNS-Prefetch-Control', 'on');
  response.headers.set('X-Frame-Options', 'DENY');
  response.headers.set('X-Content-Type-Options', 'nosniff');
  response.headers.set('X-XSS-Protection', '1; mode=block');
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
  response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
  
  // Rate limiting headers for API routes
  if (request.nextUrl.pathname.startsWith('/api/')) {
    response.headers.set('X-RateLimit-Limit', '100');
    response.headers.set('X-RateLimit-Remaining', '99');
  }
  
  return response;
}

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - api/email (email API routes)
     * - api/health (health check)
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     * - api/auth (auth API routes - need to be processed)
     */
    '/((?!api/email|api/health|_next/static|_next/image|favicon.ico|api/auth).*)',
  ],
};