const express = require('express');
const path = require('path');
const session = require('express-session');
require('dotenv').config();

const viabilidadeRoutes = require('./routes/viabilidadeRoutes');

const app = express();

// Basic middleware
app.use(express.json({ limit: '5mb' }));
app.use(express.urlencoded({ extended: true }));

// Session (in-memory, fine for dev/tests)
app.use(session({
  secret: process.env.SESSION_SECRET || 'dev-secret',
  resave: false,
  saveUninitialized: false,
  cookie: { secure: false } // secure should be true behind HTTPS in prod
}));

// Dev bypass for Microsoft auth / session (only when explicitly enabled)
if (process.env.NODE_ENV === 'development' && process.env.DEV_SKIP_AUTH === 'true') {
  app.use((req, res, next) => {
    if (!req.session) return next();
    // mark a simple user in session so handlers that expect auth work in dev
    req.session.user = req.session.user || { id: 'dev', name: 'developer' };
    next();
  });
}

// Serve static assets (UI)
app.use(express.static(path.join(__dirname, 'public')));

// Mount API routes
app.use('/', viabilidadeRoutes);

// Health endpoint
app.get('/health', (req, res) => res.json({ ok: true }));

// 404
app.use((req, res) => res.status(404).json({ error: 'Not found' }));

// Error handler
app.use((err, req, res, next) => {
  console.error(err && (err.stack || err.message) || err);
  res.status(500).json({ error: 'Internal server error' });
});

if (require.main === module) {
  const port = parseInt(process.env.PORT, 10) || 3000;
  app.listen(port, () => {
    console.log(`Server listening on port ${port} (env=${process.env.NODE_ENV || 'production'})`);
    if (process.env.NODE_ENV === 'development' && process.env.DEV_SKIP_AUTH === 'true') {
      console.log('[START-NOAUTH] DEV_SKIP_AUTH=true — authentication is bypassed');
    }
  });
}

module.exports = app;