ai-wpa/app/api/auth/refresh/route.ts

import { NextRequest, NextResponse } from 'next/server'
import connectDB from '@/lib/mongodb'
import { User } from '@/models/user'
import { verifyRefreshToken, generateTokens } from '@/lib/jwt'

export async function POST(request: NextRequest) {
  try {
    // Get refresh token from cookie
    const refreshToken = request.cookies.get('refreshToken')?.value

    if (!refreshToken) {
      return NextResponse.json(
        {
          success: false,
          error: { message: 'No refresh token provided', code: 'NO_REFRESH_TOKEN' },
        },
        { status: 401 }
      )
    }

    // Verify refresh token
    const payload = verifyRefreshToken(refreshToken)
    if (!payload) {
      return NextResponse.json(
        {
          success: false,
          error: { message: 'Invalid refresh token', code: 'INVALID_REFRESH_TOKEN' },
        },
        { status: 401 }
      )
    }

    // Connect to database and find user
    await connectDB()
    const user = await User.findById(payload.userId)

    // Check if user exists and refresh token matches
    if (!user) {
      return NextResponse.json(
        { success: false, error: { message: 'User not found', code: 'USER_NOT_FOUND' } },
        { status: 401 }
      )
    }

    // Verify the stored refresh token matches (both are JWT tokens, so direct comparison is valid)
    if (user.refreshToken !== refreshToken) {
      return NextResponse.json(
        { success: false, error: { message: 'Refresh token mismatch', code: 'TOKEN_MISMATCH' } },
        { status: 401 }
      )
    }

    // Generate new tokens
    const { accessToken, refreshToken: newRefreshToken } = generateTokens({
      userId: user._id.toString(),
      email: user.email,
      role: user.role,
    })

    // Update user's refresh token
    user.refreshToken = newRefreshToken
    await user.save()

    // Create response with new tokens
    const response = NextResponse.json({
      success: true,
      data: {
        accessToken,
        user: user.toJSON(),
      },
    })

    // Set new cookies
    response.cookies.set('accessToken', accessToken, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'lax',
      maxAge: 15 * 60, // 15 minutes
      path: '/',
    })

    response.cookies.set('refreshToken', newRefreshToken, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'lax',
      maxAge: 7 * 24 * 60 * 60, // 7 days
      path: '/',
    })

    return response
  } catch (error) {
    console.error('Token refresh error:', error)

    return NextResponse.json(
      { success: false, error: { message: 'Internal server error', code: 'INTERNAL_ERROR' } },
      { status: 500 }
    )
  }
}