neo/frontend/server/utils/session.ts

import type { H3Event } from 'h3'
import { getCookie, setCookie, deleteCookie } from 'h3'

const SESSION_COOKIE_NAME = 'routebox_session'
const SESSION_MAX_AGE = 60 * 60 * 24 * 7 // 7 days

export interface SessionData {
  token: string
  tenantId: string
  userId: string
  email: string
}

/**
 * Get the session token from HTTP-only cookie
 */
export function getSessionToken(event: H3Event): string | null {
  return getCookie(event, SESSION_COOKIE_NAME) || null
}

/**
 * Set the session token in an HTTP-only cookie
 */
export function setSessionCookie(event: H3Event, token: string): void {
  const isProduction = process.env.NODE_ENV === 'production'
  
  setCookie(event, SESSION_COOKIE_NAME, token, {
    httpOnly: true,
    secure: isProduction,
    sameSite: 'lax',
    maxAge: SESSION_MAX_AGE,
    path: '/',
  })
}

/**
 * Clear the session cookie
 */
export function clearSessionCookie(event: H3Event): void {
  deleteCookie(event, SESSION_COOKIE_NAME, {
    path: '/',
  })
}

/**
 * Get tenant ID from a separate cookie (for SSR access)
 * This is NOT the auth token - just tenant context
 */
export function getTenantIdFromCookie(event: H3Event): string | null {
  return getCookie(event, 'routebox_tenant') || null
}

/**
 * Set tenant ID cookie (readable by client for context)
 */
export function setTenantIdCookie(event: H3Event, tenantId: string): void {
  const isProduction = process.env.NODE_ENV === 'production'
  
  setCookie(event, 'routebox_tenant', tenantId, {
    httpOnly: false, // Allow client to read tenant context
    secure: isProduction,
    sameSite: 'lax',
    maxAge: SESSION_MAX_AGE,
    path: '/',
  })
}

/**
 * Clear tenant ID cookie
 */
export function clearTenantIdCookie(event: H3Event): void {
  deleteCookie(event, 'routebox_tenant', {
    path: '/',
  })
}