import { createClient } from "@/lib/supabase/server";
import { NextResponse } from "next/server";

export async function GET(request: Request) {
  const requestUrl = new URL(request.url);
  const code = requestUrl.searchParams.get("code");
  let next = requestUrl.searchParams.get("next") || "/dashboard-pages/dashboard";
  const origin = requestUrl.origin;

  // Prevent open redirect
  if (next && !next.startsWith("/")) {
    next = "/dashboard-pages/dashboard";
  }

  if (code) {
    const supabase = await createClient();
    const { error } = await supabase.auth.exchangeCodeForSession(code);
    if (!error) {
      return NextResponse.redirect(`${origin}${next}`);
    }
  }

  // If code exchange failed, try hash-based recovery (password reset flow)
  // Supabase sends recovery tokens as hash fragments which the client handles
  return NextResponse.redirect(`${origin}${next}`);
}