import { NextResponse } from 'next/server';
import { findUser, saveUser, createSession } from '@/lib/auth';
import { verifyOTP } from '@/lib/otp';

export async function POST(req: Request) {
  try {
    const { username, otp } = await req.json();
    const ip = req.headers.get('x-forwarded-for')?.split(',')[0].trim() || 'unknown';

    if (!verifyOTP(username, otp)) {
      return NextResponse.json({ error: 'Código inválido o expirado' }, { status: 401 });
    }

    const user = findUser(username);
    if (!user) {
        return NextResponse.json({ error: 'Usuario no encontrado' }, { status: 404 });
    }

    // Add IP to known list if not exists
    if (!user.knownIps.includes(ip) && ip !== 'unknown') {
      user.knownIps.push(ip);
      saveUser(user);
    }

    // Login success
    await createSession(user);

    return NextResponse.json({ success: true });

  } catch (error) {
    console.error('OTP Verify error:', error);
    return NextResponse.json({ error: 'Error interno' }, { status: 500 });
  }
}