// Operator identity proxy. Same shape as the portal's /api/me — pulls
// /users/me from platform-api with the signed-in operator's access token,
// plus tenants + subscriptions for context. Consumed by the useMe()
// composable; no UI surface uses it yet, but the path is here so any
// future middleware / layout that needs profile data has a known endpoint.

import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'

export default defineEventHandler(async (event) => {
  const session = await getUserSession(event).catch(() => null)
  const accessToken = (session as { accessToken?: string } | null)?.accessToken
  if (!accessToken) {
    throw createError({ statusCode: 401, statusMessage: 'Not signed in or no access token' })
  }

  const base = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
  const headers = { Authorization: `Bearer ${accessToken}` }

  const [profile, tenants, subscriptions] = await Promise.all([
    $fetch(`${base}/users/me`, { headers }),
    $fetch(`${base}/tenants`, { headers }),
    $fetch(`${base}/subscriptions`, { headers }),
  ])

  return { profile, tenants, subscriptions }
})