import "server-only"
import { cookies } from "next/headers"
import { getIronSession, type SessionOptions } from "iron-session"

export type SessionUser = {
  id: string
  email: string
  name?: string | null
  role: "ADMIN" | "SUPPORT" | "CLIENT_ADMIN" | "CLIENT_VIEWER"
  tenantId?: string | null
  cnpj?: string | null
}

export type SessionData = {
  user?: SessionUser
  portalPending?: {
    contatoId: string
    email: string
    name?: string | null
    clients: Array<{ id: string; razao_social: string | null; nome_fantasia: string | null; cnpj: string | null }>
  }
}

const rawSessionPassword = process.env.SESSION_PASSWORD
if (!rawSessionPassword) {
  throw new Error(
    "SESSION_PASSWORD environment variable is required. Set a random 32+ character value for production, e.g., using openssl rand -base64 48"
  )
}
if (rawSessionPassword.length < 32) {
  throw new Error(
    "SESSION_PASSWORD must be at least 32 characters long for security. Update your env var accordingly."
  )
}

export const sessionOptions: SessionOptions = {
  cookieName: "painel_smtp_session",
  password: rawSessionPassword as string,
  cookieOptions: {
    secure: process.env.NODE_ENV === "production",
    httpOnly: true,
    sameSite: "lax",
    path: "/",
  },
}

export async function getSession() {
  const cookieStore = await cookies()
  return getIronSession<SessionData>(cookieStore, sessionOptions)
}