interface AuthUser {
  nome: string
  email: string
  papel: string
}

export function useAuth() {
  const { public: { apiBase } } = useRuntimeConfig()

  const user = useState<AuthUser | null>('auth_user', () => null)
  const token = useCookie<string | null>('auth_token', { maxAge: 60 * 60 * 8 })
  const refreshToken = useCookie<string | null>('refresh_token', { maxAge: 60 * 60 * 24 * 7 })

  const isAuthenticated = computed(() => !!token.value)

  // Restaura usuário do token ao recarregar
  if (token.value && !user.value) {
    try {
      const payload = JSON.parse(atob(token.value.split('.')[1]))
      user.value = { nome: payload.email.split('@')[0], email: payload.email, papel: payload.role }
    } catch {
      token.value = null
    }
  }

  async function login(email: string, password: string, slug: string): Promise<{ success: boolean; error?: string }> {
    try {
      const res = await $fetch<{ access_token: string; refresh_token: string }>(`${apiBase}/auth/login`, {
        method: 'POST',
        body: { email, password, slug },
      })

      token.value = res.access_token
      refreshToken.value = res.refresh_token

      const payload = JSON.parse(atob(res.access_token.split('.')[1]))
      user.value = { nome: payload.email.split('@')[0], email: payload.email, papel: payload.role }

      return { success: true }
    } catch (err: any) {
      const msg = err?.data?.error || 'E-mail, senha ou organização incorretos.'
      return { success: false, error: msg }
    }
  }

  function logout() {
    // Fire-and-forget logout no back (invalida refresh token)
    if (refreshToken.value) {
      $fetch(`${apiBase}/auth/logout`, {
        method: 'POST',
        body: { refresh_token: refreshToken.value },
      }).catch(() => {})
    }
    token.value = null
    refreshToken.value = null
    user.value = null
    navigateTo('/login')
  }

  return { user, isAuthenticated, login, logout }
}