import { NextResponse } from "next/server";
import { jwtVerify } from "jose";

const getTokenFromCookies = (cookieHeader: string | null) => {
  if (!cookieHeader) return null;

  return cookieHeader
    .split("; ")
    .find((c) => c.startsWith("access_token="))
    ?.split("=")[1];
};

export async function GET(req: Request) {
  try {
    const cookie = req.headers.get("cookie");
    const token = getTokenFromCookies(cookie);

    if (!token) {
      return NextResponse.json(
        { message: "Unauthorized" },
        { status: 401 }
      );
    }

    // ⚠️ For production: use Keycloak public key verification
    // For now: decode safely (basic version)
    const payload = JSON.parse(
      Buffer.from(token.split(".")[1], "base64").toString()
    );

    return NextResponse.json({
      id: payload.sub,
      email: payload.email,
      name: payload.name,
      realm_access: payload.realm_access,
      username: payload.preferred_username,
      roles:
        payload.realm_access?.roles || [],
    });
  } catch (err) {
    return NextResponse.json(
      { message: "Invalid token" },
      { status: 401 }
    );
  }
}