import { FreshContext } from '$fresh/server.ts'
import { SessionStore } from ':src/session/mod.ts'
import { respondApi } from ':src/utils.ts'

export function handler(request: Request, ctx: FreshContext) {
	// Check CSRF token
	if (['POST', 'PATCH', 'PUT', 'DELETE', 'OPTIONS'].includes(request.method)) {
		const session = SessionStore.getFromRequest(request)
		const csrf = session?.get('_csrf')

		if (csrf === undefined || request.headers.get('X-CSRF-TOKEN') !== csrf) {
			return respondApi('error', new Error('invalid csrf token'), 401)
		}
	}

	return ctx.next()
}