/**
 * API endpoint para verificar el estado de autenticación en tiempo real
 * Consulta los headers inyectados por Authentik Proxy Outpost
 */
export default defineEventHandler((event) => {
  // Establecer headers para prevenir caching
  setResponseHeaders(event, {
    'Cache-Control': 'no-store, no-cache, must-revalidate, proxy-revalidate',
    'Pragma': 'no-cache',
    'Expires': '0'
  })

  // Leer headers de Authentik en tiempo real
  const headers = getHeaders(event)

  const username = headers['x-authentik-username']
  const email = headers['x-authentik-email']
  const name = headers['x-authentik-name']
  const groups = headers['x-authentik-groups']
  const uid = headers['x-authentik-uid']

  // Si no hay username, no hay sesión activa en Authentik
  if (!username) {
    return {
      authenticated: false,
      user: null,
      timestamp: new Date().toISOString()
    }
  }

  // Sesión activa
  return {
    authenticated: true,
    user: {
      username,
      email,
      name,
      groups: groups ? groups.split('|') : [],
      uid
    },
    timestamp: new Date().toISOString()
  }
})