import { NextRequest, NextResponse } from "next/server";

export async function middleware(req: NextRequest) {
  // Check for our session cookie (simple check, actual validation happens in API routes)
  const sessionToken = req.cookies.get("ep_session")?.value;
  const pathname = req.nextUrl.pathname;

  // Protected routes that require authentication
  const protectedRoutes = [
    "/account",
    "/admin",
  ];

  const isProtectedRoute = protectedRoutes.some(route => pathname.startsWith(route));

  // If not a protected route, allow access
  if (!isProtectedRoute) {
    return NextResponse.next();
  }

  // If protected route and no session token, redirect to home
  if (!sessionToken) {
    return NextResponse.redirect(new URL("/", req.url));
  }

  // Allow access (actual session validation happens in API routes)
  return NextResponse.next();
}

export const config = {
  matcher: [
    "/account/:path*",
    "/admin/:path*",
  ],
};