payment-backoffice/app/api/auth/login/route.tsx

import { NextResponse } from "next/server";
import { cookies } from "next/headers";
import { decodeJwt } from "jose";

const BE_BASE_URL = process.env.BE_BASE_URL || "http://localhost:8583";
const COOKIE_NAME = "auth_token";

export async function POST(request: Request) {
  try {
    const { email, password } = await request.json();

    // Call backend login
    const resp = await fetch(`${BE_BASE_URL}/api/v1/auth/login`, {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({ email, password }),
    });

    if (!resp.ok) {
      const errJson = await safeJson(resp);
      return NextResponse.json(
        { success: false, message: errJson?.message || "Login failed" },
        { status: resp.status }
      );
    }

    const data = await resp.json();
    const token: string | undefined = data?.token;

    if (!token) {
      return NextResponse.json(
        { success: false, message: "No token returned from backend" },
        { status: 502 }
      );
    }

    // Decode JWT token to extract MustChangePassword
    let mustChangePassword = false;
    let maxAge = 60 * 60 * 12; // fallback to 12h

    try {
      const payload = decodeJwt(token);

      // Extract exp if present
      if (payload?.exp) {
        const secondsLeft = payload.exp - Math.floor(Date.now() / 1000);
        if (secondsLeft > 0) maxAge = secondsLeft;
      }

      // Extract MustChangePassword flag if it exists
      if (typeof payload?.MustChangePassword === "boolean") {
        mustChangePassword = payload.MustChangePassword;
      }
    } catch (err) {
      console.warn("Failed to decode JWT:", err);
    }

    // Set the cookie
    const cookieStore = await cookies();
    cookieStore.set(COOKIE_NAME, token, {
      httpOnly: true,
      secure: process.env.NODE_ENV === "production",
      sameSite: "lax",
      path: "/",
      maxAge,
    });

    return NextResponse.json(
      {
        user: data.user,
        success: true,
        message: "Login successful",
        must_change_password: mustChangePassword,
      },
      { status: 200 }
    );
  } catch (error) {
    console.error("Login proxy error:", error);
    return NextResponse.json(
      { success: false, message: "Internal server error" },
      { status: 500 }
    );
  }
}

async function safeJson(resp: Response) {
  try {
    return await resp.json();
  } catch {
    return null;
  }
}