package middleware

import (
	"net/http"

	"github.com/spf13/viper"
)

// SecurityHeaders adds security and cache-control headers to all responses
func SecureHeaders() Middleware {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			// Caching headers
			w.Header().Set("Cache-Control", "no-store")

			// XSSProtection provides protection against cross-site scripting attack (XSS)
			w.Header().Set("X-XSS-Protection", "1; mode=block")

			// ContentTypeNosniff provides protection against overriding Content-Type
			w.Header().Set("X-Content-Type-Options", "nosniff")

			// XFrameOptions prevents the page from being displayed in a frame
			w.Header().Set("X-Frame-Options", "DENY")

			// HSTS (HTTP Strict Transport Security) forces the browser to use HTTPS
			w.Header().Set("Strict-Transport-Security", "max-age=3600; includeSubDomains")

			// ReferrerPolicy sets the referrer information passed during navigation
			w.Header().Set("Referrer-Policy", "no-referrer")

			// CSP controls the resources the user agent is allowed to load for a page
			cspPolicy := "default-src 'self'; " +
				// Allow HTMX to load from unpkg.com
				"script-src 'self' https://unpkg.com/htmx.org@*; " +
				"style-src 'self'; " +
				"img-src 'self' data:; " +
				"font-src 'self'; " +
				"connect-src 'self'; " +
				"object-src 'none'; " +
				"frame-ancestors 'none'; " +
				"form-action 'self'; " +
				"base-uri 'self';"

			// Add upgrade-insecure-requests directive only in production
			if viper.GetString("environment") == "production" {
				cspPolicy += "upgrade-insecure-requests;"
			}

			// Set Content-Security-Policy header
			w.Header().Set("Content-Security-Policy", cspPolicy)

			// Cross-Origin-Embedder-Policy prevents cross-origin resources from being loaded
			w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")

			// Cross-Origin-Opener-Policy prevents cross-origin documents from being loaded
			w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")

			// Cross-Origin-Resource-Policy prevents cross-origin resources from being loaded
			w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")

			next.ServeHTTP(w, r)
		})
	}
}

// MaxBodySize limits the maximum size of request bodies
// size parameter is in bytes
func MaxBodySize(maxSize int64) Middleware {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			// Skip restricting GET, HEAD, and OPTIONS requests as they shouldn't have bodies
			if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
				next.ServeHTTP(w, r)
				return
			}

			// Check Content-Length header first for efficiency
			if r.ContentLength > maxSize {
				http.Error(w, "Request body too large", http.StatusRequestEntityTooLarge)
				return
			}

			// If Content-Length is not set or potentially spoofed, use LimitReader
			r.Body = http.MaxBytesReader(w, r.Body, maxSize)

			// Continue to next middleware/handler
			next.ServeHTTP(w, r)
		})
	}
}