import { buildMemberCookie, getApiBaseUrl, jsonResponse } from '../../../_lib/api';

export const dynamic = 'force-dynamic';

export async function POST(req: Request): Promise<Response> {
  const body = await req.json().catch(() => ({}));
  const upstream = await fetch(`${getApiBaseUrl()}/public/auth/verify-otp`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
    body: JSON.stringify(body),
    cache: 'no-store',
  });
  const payload = (await upstream.json().catch(() => ({}))) as {
    memberToken?: string;
    user?: { id: string; tenantId: string; jid: string; displayName: string | null };
    consent?: { scopes: string[]; retentionDays: number; policyVersion: string };
    message?: string;
  };
  if (!upstream.ok) {
    return jsonResponse(payload, upstream.status);
  }
  if (!payload.memberToken) {
    return jsonResponse({ message: 'Upstream response missing memberToken' }, 502);
  }
  return jsonResponse(
    { user: payload.user, consent: payload.consent },
    200,
    { 'Set-Cookie': buildMemberCookie(payload.memberToken) },
  );
}