export default defineEventHandler(async (event) => {
    const sid = readSessionCookie(event)
    const session = await readSession(sid)

    if (!session) {
        throw createError({ statusCode: 401, statusMessage: 'Sem sessão' })
    }

    // Devolve só metadados — tokens nunca saem do servidor
    return {
        name: session.userInfo.name ?? '',
        documento: session.userInfo.preferred_username ?? '',
        email: session.userInfo.email ?? '',
        roles: session.userInfo.realm_roles ?? [],
    }
})