import { NextResponse } from "next/server"
import { createSupabaseServerClient } from "@/lib/supabase/server"
import type { EmailOtpType } from "@supabase/supabase-js"

function sanitizeRedirectPath(rawPath: string | null): string {
  if (!rawPath) return "/reader"
  if (!rawPath.startsWith("/")) return "/reader"
  if (rawPath.startsWith("//")) return "/reader"
  if (rawPath.includes("\\")) return "/reader"

  return rawPath
}

export async function GET(request: Request) {
  const { searchParams, origin } = new URL(request.url)
  const code = searchParams.get("code")
  const tokenHash = searchParams.get("token_hash")
  const type = searchParams.get("type") as EmailOtpType | null
  const next = sanitizeRedirectPath(searchParams.get("next"))

  const supabaseClient = await createSupabaseServerClient()

  if (tokenHash && type) {
    const { error } = await supabaseClient.auth.verifyOtp({
      token_hash: tokenHash,
      type,
    })

    if (!error) {
      return NextResponse.redirect(`${origin}${next}`)
    }
  }

  if (code) {
    const { error } = await supabaseClient.auth.exchangeCodeForSession(code)

    if (!error) {
      return NextResponse.redirect(`${origin}${next}`)
    }
  }

  return NextResponse.redirect(`${origin}/sign-in?error=auth`)
}