marktvogt.de/web/src/hooks.server.ts

import type { Handle } from '@sveltejs/kit';
import { apiFetch } from '$lib/api/client.js';
import { refreshTokens } from '$lib/api/client.server.js';
import type { ProfileData } from '$lib/api/types.js';

export const handle: Handle = async ({ event, resolve }) => {
	// Lightweight health endpoint for k8s probes — bypass auth and SSR.
	if (event.url.pathname === '/healthz') {
		return new Response('ok', { status: 200 });
	}

	const accessToken = event.cookies.get('access_token');
	const sessionToken = event.cookies.get('session_token');

	event.locals.user = null;

	if (accessToken) {
		try {
			const res = await apiFetch<ProfileData>('/users/me', {
				headers: { Authorization: `Bearer ${accessToken}` },
				fetch: event.fetch
			});
			event.locals.user = res.data;
		} catch {
			// Access token expired — try refresh
			if (sessionToken) {
				const refreshed = await refreshTokens(event.cookies, event.fetch);
				if (refreshed) {
					const newToken = event.cookies.get('access_token');
					if (newToken) {
						try {
							const res = await apiFetch<ProfileData>('/users/me', {
								headers: { Authorization: `Bearer ${newToken}` },
								fetch: event.fetch
							});
							event.locals.user = res.data;
						} catch {
							// Token invalid even after refresh
						}
					}
				}
			}
		}
	} else if (sessionToken) {
		const refreshed = await refreshTokens(event.cookies, event.fetch);
		if (refreshed) {
			const newToken = event.cookies.get('access_token');
			if (newToken) {
				try {
					const res = await apiFetch<ProfileData>('/users/me', {
						headers: { Authorization: `Bearer ${newToken}` },
						fetch: event.fetch
					});
					event.locals.user = res.data;
				} catch {
					// Failed after refresh
				}
			}
		}
	}

	return resolve(event, {
		preload: ({ type }) => type === 'font' || type === 'js' || type === 'css'
	});
};