import { jwtVerify } from 'jose';

const SUPABASE_JWT_SECRET = import.meta.env.SUPABASE_JWT_SECRET;

export type SessionValidation =
  | { valid: true; profileId: string; workosUserId: string }
  | { valid: false; error: string };

export async function validateSession(authHeader: string | null): Promise<SessionValidation> {
  if (!authHeader?.startsWith('Bearer ')) {
    return { valid: false, error: 'Missing authorization header' };
  }

  if (!SUPABASE_JWT_SECRET) {
    return { valid: false, error: 'Service misconfigured' };
  }

  const token = authHeader.slice(7);

  try {
    const secret = new TextEncoder().encode(SUPABASE_JWT_SECRET);
    const { payload } = await jwtVerify(token, secret);

    const profileId = payload.sub;
    const workosUserId = payload.workos_user_id as string | undefined;

    if (!profileId || !workosUserId) {
      return { valid: false, error: 'Invalid token claims' };
    }

    return { valid: true, profileId, workosUserId };
  } catch {
    return { valid: false, error: 'Invalid token' };
  }
}