const { getSupabaseServiceClient } = require('../utils/supabase');

async function requireAuth(req, res, next) {
  const authHeader = req.headers.authorization;
  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Authentication required' });
  }

  const token = authHeader.slice(7);
  const supabase = getSupabaseServiceClient();

  const { data: { user }, error } = await supabase.auth.getUser(token);
  if (error || !user) {
    return res.status(401).json({ error: 'Invalid or expired token' });
  }

  // Fetch user profile from our users table. Session 9 added
  // `grace_period_until` + `stripe_customer_id` to the select so the
  // grace-period middleware can read them off `req.user` without a
  // second round-trip. Both fields default to null when absent so
  // pre-Stripe users behave identically to before.
  const { data: profile, error: profileError } = await supabase
    .from('users')
    .select('id, email, tier, scan_count, scan_reset_date, founder_status, grace_period_until, stripe_customer_id')
    .eq('id', user.id)
    .single();

  if (profileError || !profile) {
    return res.status(401).json({ error: 'User profile not found' });
  }

  req.user = profile;
  next();
}

module.exports = { requireAuth };