import { NextRequest, NextResponse } from 'next/server'

async function hash(pw: string) {
  const data = new TextEncoder().encode(pw)
  const buf = await crypto.subtle.digest('SHA-256', data)
  return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, '0')).join('')
}

export async function middleware(req: NextRequest) {
  const password = process.env.DEMO_PASSWORD
  if (!password) return NextResponse.next()
  if (req.nextUrl.pathname.startsWith('/login')) return NextResponse.next()

  const cookie = req.cookies.get('moon_tavern_auth')?.value
  const expected = await hash(password)
  if (cookie === expected) return NextResponse.next()

  const loginUrl = new URL('/login', req.url)
  loginUrl.searchParams.set('next', req.nextUrl.pathname)
  return NextResponse.redirect(loginUrl)
}

export const config = {
  matcher: ['/((?!_next|favicon.ico|uploads|api/login).*)'],
}