import { BASE_URL } from 'src/config/erpnext'

// Token is optional — in production, nginx injects it server-side.
// Only needed for local dev (VITE_ERP_TOKEN in .env).
const SERVICE_TOKEN = import.meta.env.VITE_ERP_TOKEN || ''

export function authFetch (url, opts = {}) {
  if (SERVICE_TOKEN) {
    opts.headers = {
      ...opts.headers,
      Authorization: 'token ' + SERVICE_TOKEN,
    }
  } else {
    opts.headers = { ...opts.headers }
  }
  return fetch(url, opts).then(res => {
    console.log('[authFetch]', opts.method || 'GET', url, '→', res.status, res.type)
    if (res.status === 401 || res.status === 403) {
      console.warn('authFetch: session expired, reloading')
      window.location.reload()
      return new Response('{}', { status: res.status })
    }
    return res
  })
}

export async function getLoggedUser () {
  // First try nginx whoami endpoint (returns Authentik email header)
  try {
    const res = await fetch(BASE_URL + '/auth/whoami')
    if (res.ok) {
      const data = await res.json()
      if (data.email && data.email !== '') return data.email
    }
  } catch {}
  // Fallback: ask ERPNext (returns API token owner, usually "Administrator")
  try {
    const headers = SERVICE_TOKEN ? { Authorization: 'token ' + SERVICE_TOKEN } : {}
    const res = await fetch(BASE_URL + '/api/method/frappe.auth.get_logged_user', { headers })
    if (res.ok) {
      const data = await res.json()
      return data.message || 'authenticated'
    }
  } catch {}
  return 'authenticated'
}

export async function logout () {
  window.location.href = 'https://auth.targo.ca/if/flow/default-invalidation-flow/'
}