import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export async function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl

  // Only protect API routes (except /api/auth)
  if (!pathname.startsWith('/api/') || pathname.startsWith('/api/auth')) {
    return NextResponse.next()
  }

  // Check auth by forwarding to auth check
  const token = request.cookies.get('auth_token')?.value
  if (!token) {
    return NextResponse.json({ error: 'unauthorized' }, { status: 401 })
  }

  // Let the request through — individual API routes can do further validation if needed
  // The auth cookie existence is sufficient since it is httpOnly and set by server
  return NextResponse.next()
}

export const config = {
  matcher: ['/api/:path*'],
}