const express = require('express');
const cors = require('cors');
const path = require('path');
const session = require('express-session');
require('dotenv').config();

const { initUserTable } = require('./db/connection');
const authRoutes = require('./routes/auth');
const fileRoutes = require('./routes/files');

const app = express();
const PORT = process.env.PORT || 3000;

// Initialize DB
initUserTable();

// Middleware
app.use(cors());
app.use(express.json());
app.use(express.urlencoded({ extended: true }));

// Session
app.use(session({
    secret: process.env.SESSION_SECRET || 'supersecretkey',
    resave: false,
    saveUninitialized: false,
    cookie: { secure: false } // Set to true if using HTTPS
}));

// Auth Middleware
const requireAuth = (req, res, next) => {
    if (req.session.user) {
        next();
    } else {
        res.status(401).json({ error: 'Unauthorized' });
    }
};

// Routes
app.use('/api/auth', authRoutes);
app.use('/api', requireAuth, fileRoutes);

// Static files (public) - protect if needed, but for now let's allow loading the app
// We can protect specific assets if we want, but the API is protected.
// Actually, if we want to force login, we can serve a login page or handle it in specific separate file.
// The main `index.html` handles the login UI, so it should be public.
app.use(express.static('public'));

app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});