'use client'

function getCsrfToken(): string {
  if (typeof document === 'undefined') return ''
  return (
    document.cookie
      .split('; ')
      .find((c) => c.startsWith('csrf_token='))
      ?.split('=')[1] ?? ''
  )
}

/** Drop-in replacement for fetch() that automatically injects the CSRF token on POST requests. */
export function apiFetch(url: string, init: RequestInit = {}): Promise<Response> {
  if ((init.method ?? 'GET').toUpperCase() !== 'POST') {
    return fetch(url, init)
  }
  const headers = new Headers(init.headers)
  headers.set('x-csrf-token', getCsrfToken())
  return fetch(url, { ...init, headers })
}