package middleware

import (
	"strconv"
	"strings"

	"github.com/gofiber/fiber/v3"

	gconfig "knowfoolery/backend/services/gateway-service/internal/infra/config"
)

// SecurityHeaders sets response headers for baseline browser hardening.
func SecurityHeaders(cfg gconfig.SecurityHeadersConfig) fiber.Handler {
	return func(c fiber.Ctx) error {
		if cfg.ContentSecurityPolicy != "" {
			c.Set("Content-Security-Policy", cfg.ContentSecurityPolicy)
		}
		if cfg.FrameOptions != "" {
			c.Set("X-Frame-Options", cfg.FrameOptions)
		}
		if cfg.ContentTypeOptions {
			c.Set("X-Content-Type-Options", "nosniff")
		}
		if cfg.ReferrerPolicy != "" {
			c.Set("Referrer-Policy", cfg.ReferrerPolicy)
		}
		if cfg.PermissionsPolicy != "" {
			c.Set("Permissions-Policy", cfg.PermissionsPolicy)
		}
		c.Set("X-XSS-Protection", "1; mode=block")
		c.Set("Server", "")

		if cfg.EnableHSTS && isHTTPS(c) {
			c.Set(
				"Strict-Transport-Security",
				"max-age="+strconv.Itoa(cfg.HSTSMaxAge)+"; includeSubDomains",
			)
		}

		return c.Next()
	}
}

func isHTTPS(c fiber.Ctx) bool {
	if strings.EqualFold(c.Protocol(), "https") {
		return true
	}
	return strings.EqualFold(c.Get("X-Forwarded-Proto"), "https")
}