import { NextRequest, NextResponse } from "next/server";
import { verifyLogin } from "@/lib/users";
import { createSessionToken, SESSION_COOKIE } from "@/lib/session";
import { withBase } from "@/lib/basePath";

/** Local username/password login (directory users + the bootstrap admin). */
export async function POST(req: NextRequest): Promise<NextResponse> {
  const form = await req.formData();
  const email = String(form.get("email") || "");
  const password = String(form.get("password") || "");
  const fromRaw = String(form.get("from") || "/");
  // Same-origin path only — reject protocol-relative ("//host") to avoid open redirects.
  const from = fromRaw.startsWith("/") && !fromRaw.startsWith("//") && !fromRaw.startsWith("/login") ? fromRaw : "/";

  const id = await verifyLogin(email, password);
  if (!id) {
    return NextResponse.redirect(new URL(withBase(`/login?error=invalid&from=${encodeURIComponent(from)}`), req.url), 303);
  }

  const res = NextResponse.redirect(new URL(withBase(from), req.url), 303);
  res.cookies.set(SESSION_COOKIE, await createSessionToken(id), {
    httpOnly: true,
    sameSite: "lax",
    path: "/",
    secure: process.env.NODE_ENV === "production",
    maxAge: 60 * 60 * 12,
  });
  return res;
}