import type { APIRoute } from 'astro';
import { jwtVerify, SignJWT } from 'jose';

const SUPABASE_JWT_SECRET = import.meta.env.SUPABASE_JWT_SECRET;

export const POST: APIRoute = async ({ request }) => {
  const headers = { 'Content-Type': 'application/json' };

  try {
    const authHeader = request.headers.get('Authorization');
    if (!authHeader?.startsWith('Bearer ')) {
      return new Response(JSON.stringify({ success: false, message: 'Missing authorization' }), {
        status: 401,
        headers,
      });
    }

    const sessionToken = authHeader.slice(7);
    const secret = new TextEncoder().encode(SUPABASE_JWT_SECRET);

    const { payload } = await jwtVerify(sessionToken, secret, {
      audience: 'authenticated',
    });

    const syncEngineToken = await new SignJWT({
      sub: payload.sub,
      role: 'authenticated',
      aud: 'authenticated',
      workos_user_id: payload.workos_user_id,
    })
      .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
      .setIssuedAt()
      .setExpirationTime('24h')
      .sign(secret);

    return new Response(JSON.stringify({ success: true, syncEngineToken }), {
      status: 200,
      headers,
    });
  } catch {
    return new Response(JSON.stringify({ success: false, message: 'Invalid session' }), {
      status: 401,
      headers,
    });
  }
};