// auth.js
import express from "express";
import fetch from "node-fetch";
const router = express.Router();

const CLIENT_ID = process.env.DISCORD_CLIENT_ID;
const CLIENT_SECRET = process.env.DISCORD_CLIENT_SECRET;
const REDIRECT_URI = process.env.DISCORD_REDIRECT_URI; // e.g. https://your.site/api/auth/discord/callback
const SCOPES = ["identify"]; // you only need the user's handle/id

router.get("/auth/discord", (req, res) => {
    const url = new URL("https://discord.com/oauth2/authorize");
    url.searchParams.set("client_id", CLIENT_ID);
    url.searchParams.set("response_type", "code");
    url.searchParams.set("scope", SCOPES.join(" "));
    url.searchParams.set("redirect_uri", REDIRECT_URI);
    res.redirect(url.toString());
});

router.get("/auth/discord/callback", async (req, res) => {
    const code = req.query.code;
    const token = await fetch("https://discord.com/api/oauth2/token", {
        method: "POST",
        headers: { "Content-Type": "application/x-www-form-urlencoded" },
        body: new URLSearchParams({
            client_id: CLIENT_ID,
            client_secret: CLIENT_SECRET,
            grant_type: "authorization_code",
            code, redirect_uri: REDIRECT_URI
        })
    }).then(r => r.json());

    const me = await fetch("https://discord.com/api/users/@me", {
        headers: { Authorization: `Bearer ${token.access_token}` }
    }).then(r => r.json());

    req.session.user = {
        id: me.id,
        username: me.username,
        global_name: me.global_name || null
    };
    res.redirect("/"); // back to storefront
});

router.get("/api/whoami", (req, res) => {
    if (!req.session.user) return res.sendStatus(401);
    res.json(req.session.user);
});

export default router;