import { NextRequest, NextResponse } from 'next/server'

// Customer-facing proxy to the legal-documents API. The customer "Dokumente"
// page only ever reads PUBLISHED documents (GET /public). Templates, drafts and
// the generator stay behind the internal API and are never proxied here.
const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'

function tenantHeader(request: NextRequest): string {
  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
}

export async function GET(
  request: NextRequest,
  { params }: { params: Promise<{ path?: string[] }> },
) {
  const { path = [] } = await params
  const sub = path.join('/')
  // Hard allow-list: customers may only read the public (published) views.
  if (sub !== 'public' && !sub.startsWith('public/')) {
    return NextResponse.json({ error: 'Not found' }, { status: 404 })
  }
  const { searchParams } = new URL(request.url)
  const qs = searchParams.toString()
  try {
    const resp = await fetch(
      `${BACKEND_URL}/api/compliance/legal-documents/${sub}${qs ? `?${qs}` : ''}`,
      { headers: { 'X-Tenant-ID': tenantHeader(request) } },
    )
    const body = await resp.text()
    return new NextResponse(body, {
      status: resp.status,
      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
    })
  } catch (err) {
    return NextResponse.json(
      { error: 'Backend unreachable', details: String(err) },
      { status: 502 },
    )
  }
}