import { NextRequest, NextResponse } from 'next/server'

// Move accessToken to HttpOnly cookie in future for better security
// Backend sets 'refreshToken' cookie on login; use it as auth presence
const AUTH_COOKIES = ['refreshToken']

export function middleware(req: NextRequest) {
  const { pathname } = req.nextUrl

  // Only guard admin routes
  if (pathname.startsWith('/admin')) {
    const hasAuthCookie = AUTH_COOKIES.some((name) => !!req.cookies.get(name)?.value)
    if (!hasAuthCookie) {
      const loginUrl = new URL('/login', req.url)
      return NextResponse.redirect(loginUrl)
    }
  }

  return NextResponse.next()
}

export const config = {
  matcher: ['/admin/:path*'],
}