const express = require("express");

const router = express.Router();

// Import Controllers
const userControllers = require("./controllers/userControllers");
const authControllers = require("./controllers/authControllers");
const saveControllers = require("./controllers/saveControllers");
const verifyToken = require("./middlewares/verifyToken");

// Vérifie que le cookie session appartient au même utilisateur que :id
const verifySelf = (req, res, next) => {
  if (String(req.user) !== String(req.params.id)) {
    return res.status(403).json({ message: "Forbidden." });
  }
  return next();
};

// Auth — PKCE flow (cookie-based)
router.post("/auth/session", authControllers.session);
router.post("/auth/refresh", authControllers.refresh);
router.get("/auth/me", authControllers.me);
router.post("/auth/logout", authControllers.logout);

// User management
router.get("/users", verifyToken, userControllers.browse);
router.get("/users/:id", verifyToken, verifySelf, userControllers.read);
router.get("/users/:id/field", verifyToken, verifySelf, userControllers.read);
router.put("/users/:id", verifyToken, verifySelf, userControllers.edit);
router.post("/users", userControllers.add);
router.delete("/users/:id", verifyToken, verifySelf, userControllers.destroy);
router.post("/login", userControllers.login);

// Sync game state — cookie auth (was verifyOAuth, now same as verifyToken)
router.patch("/users/:id/coins", verifyToken, verifySelf, userControllers.updateCoins);

// Game saves — cookie auth
router.get("/save", verifyToken, saveControllers.load);
router.post("/save", verifyToken, saveControllers.save);

module.exports = router;