import { NextRequest, NextResponse } from "next/server";
import { readApps, upsertApp, removeApp, validateEntry, type AppEntry } from "@/lib/registry";
import { verifySessionToken, SESSION_COOKIE } from "@/lib/session";

export const dynamic = "force-dynamic";

// Writes require an admin session (the login wall already requires a session to
// reach the hub at all; only admins may mutate the registry).
async function isAdmin(req: NextRequest): Promise<boolean> {
  const u = await verifySessionToken(req.cookies.get(SESSION_COOKIE)?.value);
  return !!u?.admin;
}

export async function GET() {
  return NextResponse.json({ apps: await readApps() });
}

export async function POST(req: NextRequest) {
  if (!(await isAdmin(req))) {
    return NextResponse.json({ error: "Forbidden — admin only." }, { status: 403 });
  }
  let body: Partial<AppEntry>;
  try {
    body = await req.json();
  } catch {
    return NextResponse.json({ error: "Invalid JSON body." }, { status: 400 });
  }
  const err = validateEntry(body);
  if (err) return NextResponse.json({ error: err }, { status: 422 });
  return NextResponse.json({ apps: await upsertApp(body as AppEntry) });
}

export async function DELETE(req: NextRequest) {
  if (!(await isAdmin(req))) return NextResponse.json({ error: "Forbidden — admin only." }, { status: 403 });
  const slug = req.nextUrl.searchParams.get("slug") || "";
  if (!slug) return NextResponse.json({ error: "slug query param required." }, { status: 400 });
  return NextResponse.json({ apps: await removeApp(slug) });
}