import { Router, Request, Response } from "express";
import { nip98Auth } from "../middleware/nip98.js";
import { signJwt, verifyJwt } from "../auth/jwt.js";

const router = Router();

/** Sign in with NIP-98 once; returns a JWT for subsequent requests. */
router.post("/login", nip98Auth, (req: Request, res: Response) => {
  const pubkey = req.nostr!.pubkey;
  const token = signJwt(pubkey);
  res.json({ token, pubkey });
});

/** Return current user from JWT (Bearer only). Used to restore session. */
router.get("/me", (req: Request, res: Response) => {
  const auth = req.headers.authorization;
  if (!auth?.startsWith("Bearer ")) {
    res.status(401).json({ code: "unauthorized", message: "Bearer token required." });
    return;
  }
  const payload = verifyJwt(auth.slice(7).trim());
  if (!payload) {
    res.status(401).json({ code: "invalid_token", message: "Invalid or expired token." });
    return;
  }
  res.json({ pubkey: payload.pubkey });
});

export default router;