import "server-only";
import { headers } from "next/headers";
import { redirect, notFound } from "next/navigation";
import { auth } from "./auth";

/** Returns the current session (or null) using request headers. */
export async function getServerSession() {
  return auth.api.getSession({ headers: await headers() });
}

/** Require a logged-in user; redirect to sign-in otherwise. */
export async function requireAuth(redirectTo?: string) {
  const session = await getServerSession();
  if (!session) {
    const target = redirectTo ? `?redirect=${encodeURIComponent(redirectTo)}` : "";
    redirect(`/sign-in${target}`);
  }
  return session;
}

/**
 * Require a platform admin. Returns 404 (not 403) for non-admins so the admin
 * surface isn't disclosed to ordinary users.
 */
export async function requireAdmin() {
  const session = await getServerSession();
  if (!session || session.user.role !== "admin") notFound();
  return session;
}

/** Convenience: the active organization id from the session (if any). */
export async function getActiveOrgId() {
  const session = await getServerSession();
  return session?.session.activeOrganizationId ?? null;
}