import { isCsrfExempt, requireCsrfToken } from '~/server/utils/csrf'

/**
 * CSRF Protection Middleware
 * Validates CSRF tokens on all state-changing requests (POST, PUT, DELETE)
 * Exempts certain endpoints like login/register that create sessions
 */
export default defineEventHandler(async (event) => {
  const method = event.node.req.method
  const path = event.node.req.url || ''

  // Only validate CSRF on state-changing methods
  if (method === 'POST' || method === 'PUT' || method === 'DELETE') {
    // Skip CSRF validation for exempt endpoints
    if (isCsrfExempt(path)) {
      return
    }

    // Require valid CSRF token
    await requireCsrfToken(event)
  }
})