export default defineNuxtRouteMiddleware(async (to) => {
    const auth = useAuthStore()
    const isLogin = to.path === '/login'

    if (!auth.checked) {
        await auth.ensureSession()
    }

    if (!isLogin && !auth.isAuthenticated) {
        return navigateTo('/login')
    }

    if (isLogin && auth.isAuthenticated) {
        const isClientOnly = auth.user?.roles?.includes('ROLE_CLIENT') && !auth.user?.roles?.includes('ROLE_ADMIN')
        return navigateTo(isClientOnly ? '/portal' : '/')
    }

    // ROLE_CLIENT without ROLE_ADMIN: redirect to /portal, block internal pages
    if (auth.isAuthenticated && auth.user?.roles?.includes('ROLE_CLIENT') && !auth.user?.roles?.includes('ROLE_ADMIN')) {
        const isPortalRoute = to.path.startsWith('/portal')
        const isLoginRoute = to.path === '/login'
        if (!isPortalRoute && !isLoginRoute) {
            return navigateTo('/portal')
        }
    }
})