import type { Context, Next } from "hono";

function isPublicApiRoute(method: string, path: string) {
  if (path === "/api/webhook/instagram") return true;
  if (method === "GET" && path === "/api/instagram/connect") return true;
  if (method === "GET" && path === "/api/instagram/callback") return true;
  if (method === "POST" && path === "/api/user/delete") return true;
  if (method === "GET" && path === "/api/user/delete") return true;

  return false;
}

export async function apiAuth(c: Context, next: Next) {
  if (isPublicApiRoute(c.req.method, c.req.path)) {
    return next();
  }

  if (c.req.method === "POST" && c.req.path === "/api/automation/followups") {
    const cronSecret = process.env.AUTOMATION_CRON_SECRET;
    const providedCronSecret = c.req
      .header("authorization")
      ?.replace(/^Bearer\s+/i, "");

    if (cronSecret && providedCronSecret === cronSecret) {
      return next();
    }
  }

  const expectedKey = process.env.SERVER_API_KEY;
  if (!expectedKey) {
    if (process.env.NODE_ENV === "production") {
      return c.json({ error: "SERVER_API_KEY is not configured" }, 500);
    }

    return next();
  }

  const providedKey =
    c.req.header("x-server-api-key") ??
    c.req.header("authorization")?.replace(/^Bearer\s+/i, "");

  if (providedKey !== expectedKey) {
    return c.json({ error: "Unauthorized" }, 401);
  }

  return next();
}