export default defineNuxtRouteMiddleware(async (to, from) => {
  const config = useRuntimeConfig();
  const isComingSoonMode =
    config.public.comingSoon === "true" || config.public.comingSoon === true;

  // Only enforce coming soon mode if enabled
  if (!isComingSoonMode) {
    return;
  }

  // Allow access to the coming-soon page and OIDC login
  if (to.path === "/coming-soon" || to.path === "/auth/wiki-login") {
    return;
  }

  // Allow authenticated users to bypass coming-soon
  const authToken = useCookie("auth-token");
  if (authToken.value) {
    // On the server, verify the JWT is actually valid
    if (import.meta.server) {
      try {
        const { jwtSecret } = useRuntimeConfig();
        const jwt = await import("jsonwebtoken").then((m) => m.default);
        jwt.verify(authToken.value, jwtSecret);
        return;
      } catch {
        // Invalid/expired token — fall through to coming-soon redirect
      }
    } else {
      // Client-side: trust the cookie (SSR already validated on initial load)
      return;
    }
  }

  // Redirect all other routes to coming-soon
  return navigateTo("/coming-soon");
});