// Gates every /api/** route. Static SPA assets stay public.
export default defineEventHandler(async (event) => {
  const path = getRequestURL(event).pathname;
  if (!path.startsWith("/api/")) return;

  // CORS preflight is answered (and short-circuited) by 0.cors.ts before this runs.
  const header = getHeader(event, "authorization") || "";
  const token = header.startsWith("Bearer ") ? header.slice(7).trim() : "";
  if (!token) {
    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
  }

  try {
    event.context.user = await getVerifier()(token);
  } catch {
    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
  }
});