export const requireAuthHook = async () => {
    const token = Astro.cookies.get("access_token")?.value;
    let user = null;

  try {
    if (!token) throw Error("No access token");

    // Step 1: verify current access token
    user = verifyToken(token);

    if (!user) throw Error("Invalid access token");

    console.log("Verified!", user);

  } catch (err) {
    console.log("Access token check failed:", err.message);

    // Step 2: attempt refresh if refresh_token exists
    const refreshToken = Astro.cookies.get("refresh_token")?.value;
    if (refreshToken) {
      try {
        const newTokens = await refreshAccessToken(refreshToken); 
        if (newTokens?.accessToken) {
          // store new access token
          Astro.cookies.set("access_token", newTokens.accessToken, {
            path: "/",
            httpOnly: true,
            sameSite: "lax",
            secure: true,
          });

          // Optionally replace refresh_token too
          if (newTokens.refreshToken) {
            Astro.cookies.set("refresh_token", newTokens.refreshToken, {
              path: "/",
              httpOnly: true,
              sameSite: "lax",
              secure: true,
            });
          }

          // re-verify user with new token
          user = verifyToken(newTokens.accessToken);

          if (user) {
            console.log("Refreshed + verified!", user);
            return; // ✅ authenticated now
          }
        }
      } catch (refreshErr) {
        console.error("Refresh failed:", refreshErr.message);
      }
    }

    // Step 3: if still no user, redirect
    return Astro.redirect("/login");
  }
}