import type { Context, Next } from "hono";
import { getAuth } from "@hono/oidc-auth";
import { verifyApiKey } from "../services/auth.service";
import { verifyAccessToken } from "../services/oauth.service";

export async function requireAuth(c: Context, next: Next) {
	const db = c.get("db");

	// 1. Check API key (programmatic access)
	const apiKey = c.req.header("X-API-Key");
	if (apiKey) {
		const valid = await verifyApiKey(db, apiKey);
		if (valid) return next();
		return c.json({ error: "Invalid API key" }, 401);
	}

	// 2. Check MCP OAuth Bearer token
	const authHeader = c.req.header("Authorization");
	if (authHeader?.startsWith("Bearer ")) {
		const token = authHeader.slice(7);
		if (await verifyAccessToken(db, token)) return next();
		return c.json({ error: "invalid_token" }, 401);
	}

	// 3. Check OIDC session (browser users)
	const auth = await getAuth(c);
	if (auth) return next();

	return c.json({ error: "Authentication required" }, 401);
}