import { NextResponse } from 'next/server';

const csrfCookieName = 'csrf';
const cookieSecure = process.env.COOKIE_SECURE === 'true';

function createToken() {
  const bytes = new Uint8Array(32);
  crypto.getRandomValues(bytes);
  return Array.from(bytes, (byte) => byte.toString(16).padStart(2, '0')).join('');
}

export function proxy(request) {
  const token = request.cookies.get(csrfCookieName)?.value;
  if (token) {
    return NextResponse.next();
  }

  const nextToken = createToken();
  const requestHeaders = new Headers(request.headers);
  requestHeaders.set('x-csrf-token', nextToken);

  const response = NextResponse.next({
    request: {
      headers: requestHeaders,
    },
  });

  response.cookies.set(csrfCookieName, nextToken, {
    httpOnly: true,
    sameSite: 'strict',
    secure: cookieSecure,
    path: '/',
  });

  return response;
}

export const config = {
  matcher: ['/manage', '/manage/((?!api/).*)'],
};