import { NextRequest, NextResponse } from "next/server";
import OpenAI from "openai";
import { createClient } from "@/lib/supabase/server";
import { checkRateLimit, getClientIP, createRateLimitResponse } from "@/lib/rate-limit";
import { withErrorHandler, APIError, ErrorCodes } from "@/lib/api-errors";
import { validateCSRFToken, isSameOrigin } from "@/lib/csrf";

const openai = new OpenAI({
  apiKey: process.env.OPENAI_API_KEY || "",
});

const AI_RATE_LIMIT = 10;
const AI_WINDOW_MS = 15 * 60 * 1000;

async function handler(request: Request) {
  // CSRF protection: validate same-origin and token
  if (!isSameOrigin(request)) {
    return NextResponse.json({ error: 'Cross-origin request not allowed' }, { status: 403 });
  }
  const csrfValid = await validateCSRFToken(request);
  if (!csrfValid) {
    return NextResponse.json({ error: 'Invalid or missing CSRF token' }, { status: 403 });
  }
  
  // Auth check
  const supabase = await createClient();
  const { data: { user } } = await supabase.auth.getUser();
  if (!user) {
    throw new APIError("Unauthorized", 401, ErrorCodes.UNAUTHORIZED);
  }

  // Rate limit
  const clientIP = getClientIP(request);
  const rateLimit = checkRateLimit(`transcribe:${clientIP}`, AI_RATE_LIMIT, AI_WINDOW_MS);
  if (!rateLimit.allowed) {
    const retryAfter = Math.ceil((rateLimit.resetTime - Date.now()) / 1000);
    return createRateLimitResponse(clientIP, retryAfter);
  }

  const formData = await request.formData();
  const audioFile = formData.get("audio") as File | null;

  if (!audioFile) {
    throw new APIError("No audio file provided", 400, ErrorCodes.INVALID_INPUT);
  }

  try {
    const transcription = await openai.audio.transcriptions.create({
      file: audioFile,
      model: "whisper-1",
      language: "en",
    });

    return Response.json({ text: transcription.text });
  } catch (error) {
    console.error("OpenAI transcription error:", error);
    throw new APIError(
      "Failed to transcribe audio",
      500,
      ErrorCodes.EXTERNAL_SERVICE_ERROR
    );
  }
}

export const POST = withErrorHandler(handler);
