const requireAuth = require('./middlewares/requireAuth');
const authRoutes = require('./routes/authRoutes');
const express = require('express');
const path = require('path');
const session = require('express-session');
require('dotenv').config();

const viabilidadeRoutes = require('./routes/viabilidadeRoutes');

const app = express();

// Basic middleware
app.use(express.json({ limit: '5mb' }));
app.use(express.urlencoded({ extended: true }));

// Session (in-memory, fine for dev/tests)
app.use(session({
  secret: process.env.SESSION_SECRET || 'dev-secret',
  resave: false,
  saveUninitialized: false,
  cookie: { secure: false } // secure should be true behind HTTPS in prod
}));

// Registrar authRoutes primeiro (rotas de login)
app.use(authRoutes);

// Dev bypass for Microsoft auth / session (only when explicitly enabled)
// MUST come before the global protection middleware so it can insert req.session.user
if (process.env.NODE_ENV === 'development' && process.env.DEV_SKIP_AUTH === 'true') {
  app.use((req, res, next) => {
    if (!req.session) return next();
    // note: property must be `authenticated` (with 'h') so requireAuth recognizes it
    req.session.user = req.session.user || { authenticated: true, id: 'dev', name: 'developer' };
    next();
  });
}

// Note: static assets must be served AFTER the global protection middleware
// when you want the site to redirect to /login before delivering the UI.

// Proteção global (após static + dev bypass)
app.use((req, res, next) => {
  if (
    req.path.startsWith('/auth') ||
    req.path === '/login' ||
    req.path === '/health'
  ) {
    return next();
  }

  return requireAuth(req, res, next);
});

// Serve static assets (UI) AFTER protection so the app redirects to /login first
app.use(express.static(path.join(__dirname, 'public')));

// Mount API routes
app.use('/', viabilidadeRoutes);

// Health endpoint
app.get('/health', (req, res) => res.json({ ok: true }));

// 404
app.use((req, res) => res.status(404).json({ error: 'Not found' }));

// Error handler
app.use((err, req, res, next) => {
  console.error(err && (err.stack || err.message) || err);
  res.status(500).json({ error: 'Internal server error' });
});

if (require.main === module) {
  const port = parseInt(process.env.PORT, 10) || 3000;
  app.listen(port, () => {
    console.log(`Server listening on port ${port} (env=${process.env.NODE_ENV || 'production'})`);
    if (process.env.NODE_ENV === 'development' && process.env.DEV_SKIP_AUTH === 'true') {
      console.log('[START-NOAUTH] DEV_SKIP_AUTH=true — authentication is bypassed');
    }
  });
}

module.exports = app;