require('dotenv').config();

const express = require('express');
const cors = require('cors');
const { auth } = require('express-openid-connect');
const config = require('./config');
const jwt = require('jsonwebtoken');
const helmet = require('helmet');
const secureAuth = require('./middleware/secureAuth');

const app = express();

// Security middleware
app.use(helmet());

// Basic middleware
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
app.use(cors({
  origin: config.frontend.url,
  credentials: true
}));

// HTTPS enforcement in production environments
if (process.env.NODE_ENV === 'production') {
  app.use((req, res, next) => {
    if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
      next();
    } else {
      return res.status(403).json({
        error: 'HTTPS Required',
        message: 'Secure connection required for this endpoint'
      });
    }
  });
}

// Auth0 configuration for production
if (process.env.NODE_ENV === 'production') {
  const auth0Config = {
    authRequired: false,
    auth0Logout: true,
    baseURL: config.server.url,
    clientID: config.auth0.clientId,
    issuerBaseURL: `https://${config.auth0.domain}`,
    secret: config.auth0.secret,
    routes: {
      login: false,  // Disable default login route
      logout: false  // Disable default logout route
    }
  };

  app.use(auth(auth0Config));
}

// Auth routes
app.get('/api/auth/login', (req, res) => {
  // For development: Create a signed JWT token
  if (process.env.NODE_ENV !== 'production') {
    const token = jwt.sign({ 
      sub: 'test-user',
      email: 'test@example.com',
      name: 'Test User',
      'https://container-mom.com/roles': ['admin'] 
    }, config.auth0.secret, { expiresIn: '1d' });
    
    return res.json({ token });
  }

  // For production: use Auth0
  res.oidc.login({
    returnTo: config.frontend.url,
    authorizationParams: {
      redirect_uri: `${config.server.url}/callback`
    }
  });
});

app.get('/api/auth/logout', (req, res) => {
  // For development: just redirect to frontend
  if (process.env.NODE_ENV !== 'production') {
    return res.redirect(config.frontend.url);
  }

  // For production: use Auth0 logout
  res.oidc.logout({
    returnTo: config.frontend.url
  });
});

app.get('/api/auth/user', secureAuth, (req, res) => {
  res.json(req.oidc.user);
});

// Callback route for Auth0
app.get('/callback', (req, res) => {
  res.redirect(config.frontend.url);
});

// API routes
const deploymentRoutes = require('./routes/deployments');
app.use('/api/deployments', deploymentRoutes);

const authRoutes = require('./routes/auth');
app.use('/api/auth', authRoutes);

// Start server
const port = config.port || 3001;
app.listen(port, () => {
  console.log(`Server running on port ${port}`);
  console.log(`Environment: ${process.env.NODE_ENV || 'development'}`);
});