/**
 * Paths that skip auth middleware (no session required).
 * Do not add a path here if any handler under it uses requireAuth (with or without role).
 * When adding a new API route that requires auth, add its path prefix to PROTECTED_PATH_PREFIXES below
 * so tests can assert it is never skipped.
 */
export const SKIP_PATHS = [
  '/api/auth/login',
  '/api/auth/logout',
  '/api/auth/config',
  '/api/auth/oidc/authorize',
  '/api/auth/oidc/callback',
]

/**
 * Path prefixes for API routes that require an authenticated user (or role).
 * Every path in this list must NOT be skipped (skipAuth must return false).
 * Used by tests to prevent protected routes from being added to SKIP_PATHS.
 */
export const PROTECTED_PATH_PREFIXES = [
  '/api/cameras',
  '/api/devices',
  '/api/live',
  '/api/me',
  '/api/pois',
  '/api/users',
]

export function skipAuth(path) {
  if (path.startsWith('/api/health') || path === '/health') return true
  return SKIP_PATHS.some(p => path === p || path.startsWith(p + '/'))
}