/** @type {import('@sveltejs/kit').Handle} */
export async function handle({ event, resolve }) {
    // SECURITY FIX #25: Server-side session validation
    const authToken = event.cookies.get('auth_token');

    if (authToken) {
        // Token is present - attach to locals for use in load functions
        // JWT validation happens on API calls; here we just pass it through
        event.locals.authToken = authToken;
        event.locals.isAuthenticated = true;
    } else {
        event.locals.isAuthenticated = false;
    }

    const response = await resolve(event);

    // Add security headers to responses
    response.headers.set('X-Content-Type-Options', 'nosniff');
    response.headers.set('X-Frame-Options', 'SAMEORIGIN');
    response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');

    return response;
}