import { createServerClient } from "@supabase/ssr";
import { NextResponse, type NextRequest } from "next/server";
import { getSupabaseEnv } from "./env";
import {
  loginForPath,
  pathForRole,
  roleForPath,
} from "@/lib/middleware/portal";
import type { PortalRole } from "@/lib/auth/roles";
import { portalRoleFromMetadata } from "@/lib/auth/resolve-portal-role";

export async function updateSession(request: NextRequest) {
  let supabaseResponse = NextResponse.next({ request });

  let url: string;
  let anonKey: string;
  try {
    ({ url, anonKey } = getSupabaseEnv());
  } catch {
    return supabaseResponse;
  }

  const supabase = createServerClient(url, anonKey, {
    cookies: {
      getAll() {
        return request.cookies.getAll();
      },
      setAll(cookiesToSet) {
        cookiesToSet.forEach(({ name, value }) =>
          request.cookies.set(name, value)
        );
        supabaseResponse = NextResponse.next({ request });
        cookiesToSet.forEach(({ name, value, options }) =>
          supabaseResponse.cookies.set(name, value, options)
        );
      },
    },
  });

  const {
    data: { user },
  } = await supabase.auth.getUser();

  const pathname = request.nextUrl.pathname;
  const isAuthPage =
    pathname.startsWith("/login") || pathname.startsWith("/signup");
  const isPasswordFlow =
    pathname.startsWith("/forgot-password") ||
    pathname === "/reset-password" ||
    pathname.startsWith("/auth/");
  const isApi = pathname.startsWith("/api/");
  const isApiHealth = pathname === "/api/health";
  const isPublic =
    pathname === "/" || isAuthPage || isApiHealth || isPasswordFlow;
  const requiredRole = roleForPath(pathname);

  if (!user && !isPublic && !isApi) {
    const redirectUrl = request.nextUrl.clone();
    redirectUrl.pathname = loginForPath(pathname);
    return NextResponse.redirect(redirectUrl);
  }

  let portalRole: PortalRole | null = null;
  if (user) {
    const { data: profile, error: profileError } = await supabase
      .from("profiles")
      .select("portal_role")
      .eq("id", user.id)
      .maybeSingle();

    if (!profileError && profile?.portal_role) {
      portalRole = profile.portal_role as PortalRole;
    } else {
      portalRole = portalRoleFromMetadata(user) ?? "manager";
    }
  }

  if (user && isAuthPage && !isPasswordFlow) {
    const redirectUrl = request.nextUrl.clone();
    redirectUrl.pathname = pathForRole(portalRole);
    return NextResponse.redirect(redirectUrl);
  }

  if (user && pathname === "/reset-password") {
    return supabaseResponse;
  }

  if (user && requiredRole && portalRole !== requiredRole) {
    const redirectUrl = request.nextUrl.clone();
    redirectUrl.pathname = pathForRole(portalRole);
    return NextResponse.redirect(redirectUrl);
  }

  if (user && pathname === "/players" && portalRole === "manager") {
    const redirectUrl = request.nextUrl.clone();
    redirectUrl.pathname = pathForRole(portalRole);
    return NextResponse.redirect(redirectUrl);
  }

  if (user && pathname === "/leagues" && portalRole === "manager") {
    const redirectUrl = request.nextUrl.clone();
    redirectUrl.pathname = "/manager/leagues";
    return NextResponse.redirect(redirectUrl);
  }

  if (user && pathname.startsWith("/leagues/") && portalRole === "manager") {
    return supabaseResponse;
  }

  return supabaseResponse;
}