hd-commerce/src/middleware.js

import { recordEvent, getSetting } from './lib/store.js';
import { createHash } from 'node:crypto';
import {
  currentUser, adminBase, adminPathSegment, isCustomAdminPath, canAccess, landingFor,
} from './lib/auth.js';

const SKIP = ['/api/', '/uploads/', '/_astro', '/favicon', '/_image', '/robots.txt'];

function sessionHash(request) {
  const ua = request.headers.get('user-agent') || '';
  const ip = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'local';
  const day = new Date().toISOString().slice(0, 10);
  return createHash('sha256').update(ip + ua + day).digest('hex').slice(0, 16);
}

function sectionOf(adminInner) {
  const seg = adminInner.replace(/^\//, '').split('/')[0] || 'dashboard';
  const map = {
    '': 'dashboard', 'bestellungen': 'bestellungen', 'produkte': 'produkte', 'kunden': 'kunden',
    'analytics': 'analytics', 'marketing': 'marketing', 'inhalte': 'inhalte', 'einstellungen': 'einstellungen',
    'nutzer': 'nutzer', 'audit': 'audit', 'konto': 'dashboard', 'login': 'login', 'logout': 'logout',
  };
  return map[seg] || 'dashboard';
}

export async function onRequest(context, next) {
  const { request, locals } = context;
  const url = new URL(request.url);
  const path = url.pathname;
  const base = adminBase();           // "/login" oder "/admin"
  const custom = isCustomAdminPath();

  // Interner Rewrite-Durchlauf (auf physische /admin-Routen) -> einfach durchreichen.
  if (locals && locals.__hdcAdminRewrite) {
    return next();
  }

  // Custom-Admin-Pfad: direkter Zugriff auf physische /admin-Routen blocken (404).
  if (custom && (path === '/admin' || path.startsWith('/admin/'))) {
    return new Response('Not Found', { status: 404 });
  }

  // Admin-Bereich unter konfiguriertem Pfad
  const isAdmin = path === base || path.startsWith(base + '/');
  if (isAdmin) {
    let inner = path.slice(base.length); // "" oder "/bestellungen/3"
    if (inner === '') inner = '/';
    const innerSeg = inner.replace(/^\//, '').split('/')[0];
    const isLoginRoute = innerSeg === 'login';
    const isLogoutRoute = innerSeg === 'logout';

    const user = currentUser(request);

    if (!user && !isLoginRoute) {
      // Nicht eingeloggt -> Login-Seite rendern (HTTP 200).
      if (locals) locals.__hdcAdminRewrite = true;
      return context.rewrite('/admin/login?next=' + encodeURIComponent(path));
    }

    if (user && !isLoginRoute && !isLogoutRoute) {
      const section = sectionOf(inner);
      if (section !== 'dashboard' && section !== 'login' && section !== 'logout' && !canAccess(user.role, section)) {
        return Response.redirect(new URL(landingFor(user.role), url), 302);
      }
      if (section === 'dashboard' && !canAccess(user.role, 'dashboard')) {
        return Response.redirect(new URL(landingFor(user.role), url), 302);
      }
    }

    // Auf physische /admin-Routen umschreiben.
    if (custom) {
      if (locals) locals.__hdcAdminRewrite = true;
      const target = '/admin' + (inner === '/' ? '' : inner) + url.search;
      return context.rewrite(target);
    }
    return next();
  }

  // First-Party Pageview-Tracking (nur Storefront-GET-Seiten)
  if (request.method === 'GET' && !SKIP.some(s => path.startsWith(s))) {
    try {
      recordEvent({
        type: 'pageview', path,
        referrer: request.headers.get('referer') || '',
        utm_source: url.searchParams.get('utm_source') || '',
        utm_medium: url.searchParams.get('utm_medium') || '',
        utm_campaign: url.searchParams.get('utm_campaign') || '',
        session: sessionHash(request),
      });
    } catch {}
  }

  return next();
}