const ROLES_ADMIN_OR_LEADER = Object.freeze(['admin', 'leader'])

export function requireAuth(event, opts = {}) {
  const user = event.context.user
  if (!user) throw createError({ statusCode: 401, message: 'Unauthorized' })
  const { role } = opts
  if (role === 'admin' && user.role !== 'admin') throw createError({ statusCode: 403, message: 'Forbidden' })
  if (role === 'adminOrLeader' && !ROLES_ADMIN_OR_LEADER.includes(user.role)) throw createError({ statusCode: 403, message: 'Forbidden' })
  return user
}

// Auth path utilities
export const SKIP_PATHS = Object.freeze([
  '/api/auth/login',
  '/api/auth/logout',
  '/api/auth/config',
  '/api/auth/oidc/authorize',
  '/api/auth/oidc/callback',
])

export const PROTECTED_PATH_PREFIXES = Object.freeze([
  '/api/cameras',
  '/api/devices',
  '/api/live',
  '/api/me',
  '/api/pois',
  '/api/users',
])

export function skipAuth(path) {
  if (path.startsWith('/api/health') || path === '/health') return true
  return SKIP_PATHS.some(p => path === p || path.startsWith(p + '/'))
}