import { Hono } from "hono";

/**
 * POST /logout → calls AppView logout, clears cookie, redirects to /
 */
export function createAuthRoutes(appviewUrl: string) {
  return new Hono()
    /**
     * POST /logout — logout should be a POST (not a link) to prevent CSRF.
     *
     * Calls AppView's logout endpoint to revoke tokens and clean up the
     * server-side session, then clears the cookie on the web UI's domain and
     * redirects to the homepage.
     */
    .post("/logout", async (c) => {
      const cookieHeader = c.req.header("cookie") ?? "";

      try {
        const logoutRes = await fetch(`${appviewUrl}/api/auth/logout`, {
          headers: { Cookie: cookieHeader },
        });

        if (!logoutRes.ok) {
          console.error("Auth proxy: AppView logout returned non-ok status", {
            operation: "POST /logout",
            status: logoutRes.status,
          });
        }
      } catch (error) {
        if (
          error instanceof TypeError ||
          error instanceof ReferenceError ||
          error instanceof SyntaxError
        ) {
          throw error; // Re-throw programming errors — don't hide code bugs
        }
        console.error("Auth proxy: Failed to call AppView logout", {
          operation: "POST /logout",
          error: error instanceof Error ? error.message : String(error),
        });
        // Continue — still clear local cookie
      }

      const headers = new Headers();
      headers.set(
        "set-cookie",
        "atbb_session=; Path=/; HttpOnly; Max-Age=0; SameSite=Lax"
      );
      headers.set("location", "/");

      return new Response(null, { status: 303, headers });
    });
}