import { handlers } from '@/lib/auth'
import { checkRateLimit } from '@/lib/rate-limit'

const AUTH_RATE_LIMIT = 10 // requests per window
const AUTH_RATE_WINDOW_MS = 60 * 1000 // 1 minute

function getClientIp(req: Request): string {
  return (
    req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
    req.headers.get('x-real-ip') ||
    'unknown'
  )
}

function withRateLimit(handler: (req: Request) => Promise<Response>) {
  return async (req: Request) => {
    // Only rate limit POST requests (sign-in, magic link sends)
    if (req.method === 'POST') {
      const ip = getClientIp(req)
      const { success, resetAt } = checkRateLimit(`auth:${ip}`, AUTH_RATE_LIMIT, AUTH_RATE_WINDOW_MS)

      if (!success) {
        return new Response(JSON.stringify({ error: 'Too many authentication attempts' }), {
          status: 429,
          headers: {
            'Content-Type': 'application/json',
            'Retry-After': String(Math.ceil((resetAt - Date.now()) / 1000)),
          },
        })
      }
    }

    return handler(req)
  }
}

export const GET = handlers.GET
export const POST = withRateLimit(handlers.POST as (req: Request) => Promise<Response>)