// Recover from a dead session instead of leaving a broken page: when any
// /api call returns 401, bounce the browser through the OIDC login route.
// With a live Authentik SSO session that round-trip is invisible (instant
// return to a fresh session); when Authentik's session is gone too, the
// user lands on the sign-in screen — never half-dead buttons. The
// timestamp guard prevents redirect loops if login can't restore a session.
export default defineNuxtPlugin(() => {
  const KEY = 'auth-recover-at'
  globalThis.$fetch = $fetch.create({
    onResponseError({ request, response }) {
      const url =
        typeof request === 'string' ? request : request instanceof Request ? request.url : String(request)
      if (response.status !== 401 || !url.startsWith('/api/')) return
      const last = Number(sessionStorage.getItem(KEY) ?? 0)
      if (Date.now() - last < 30_000) return
      sessionStorage.setItem(KEY, String(Date.now()))
      window.location.href = '/auth/oidc/login'
    },
  }) as typeof globalThis.$fetch
})