import { NextRequest, NextResponse } from 'next/server';
import { getSupabaseAdmin, hashKey } from '@/lib/supabase';

// 30 lookups per minute per IP
const ipWindows = new Map<string, { count: number; resetAt: number }>();
function checkLimit(ip: string): boolean {
  const now = Date.now();
  const win  = ipWindows.get(ip);
  if (!win || now > win.resetAt) {
    ipWindows.set(ip, { count: 1, resetAt: now + 60_000 });
    return true;
  }
  if (win.count >= 30) return false;
  win.count++;
  return true;
}

export async function GET(req: NextRequest) {
  const ip = req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? '0.0.0.0';
  if (!checkLimit(ip)) {
    return NextResponse.json({ error: 'rate_limit' }, { status: 429 });
  }

  const key = req.nextUrl.searchParams.get('key') ?? '';
  if (!key.match(/^LAU-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/)) {
    return NextResponse.json({ error: 'invalid_key' }, { status: 400 });
  }

  const { data, error } = await getSupabaseAdmin()
    .from('licences')
    // email intentionally excluded — key lives in config files, don't expose PII via lookup
    .select('plan, quota_month, usage_month, reset_at, active, flagged, created_at')
    .eq('key_hash', hashKey(key))
    .single();

  if (error || !data) {
    return NextResponse.json({ error: 'not_found' }, { status: 404 });
  }

  return NextResponse.json(data);
}
