import { NextRequest, NextResponse } from 'next/server'
import { authenticateH5FromCookieHeader, getCookieHeaderFromRequest } from '@/lib/h5/auth'
import { h5Router, H5ForbiddenError } from '@/lib/h5/router'
import { mapMessagesForH5Response } from '@/lib/h5/message-content'
import { messageRepo } from '@/lib/database/repositories/message.repo'

export const runtime = 'nodejs'
export const dynamic = 'force-dynamic'

/**
 * 加载会话历史消息（§6.2）。
 *
 * GET /api/h5/messages?sessionId=xxx
 * 鉴权：forge_h5 cookie + 校验 session.external_user_id 归属
 * 出站 content 已 strip（仅 text + 附件块）；DB 仍为完整 blocks。
 */
export async function GET(req: NextRequest): Promise<NextResponse> {
  const auth = authenticateH5FromCookieHeader(getCookieHeaderFromRequest(req))
  if (!auth) {
    return NextResponse.json({ error: 'Session expired' }, { status: 401 })
  }

  const sessionId = req.nextUrl.searchParams.get('sessionId')
  if (!sessionId) {
    return NextResponse.json({ error: 'Missing sessionId' }, { status: 400 })
  }

  const { page, payload } = auth

  // 校验 session 归属（防越权读取他人会话）
  try {
    h5Router.resolveSession(page, payload.externalUserId, sessionId)
  } catch (err) {
    if (err instanceof H5ForbiddenError) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    throw err
  }

  const messages = mapMessagesForH5Response(messageRepo.listBySession(sessionId))
  return NextResponse.json(messages)
}
