import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function proxy(request: NextRequest) {
  // Generate a unique nonce for this request
  const nonce = Buffer.from(crypto.randomUUID()).toString('base64');

  // Build Content-Security-Policy with nonce — NO unsafe-eval, NO unsafe-inline
  const cspHeader = [
    `default-src 'self'`,
    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https://www.googletagmanager.com https://www.google-analytics.com https://connect.facebook.net https://www.facebook.com https://www.google.com https://www.gstatic.com https://apis.google.com https://www.clarity.ms https://scripts.clarity.ms https://recaptcha.net https://www.recaptcha.net https://images.dmca.com https://embed.tawk.to`,
    `style-src 'self' 'nonce-${nonce}' https://fonts.googleapis.com https://www.gstatic.com`,
    `font-src 'self' https://fonts.gstatic.com data:`,
    `img-src 'self' data: blob: https://images.dmca.com https://backend.moweb.com https://devbackend.moweb.com https://mwdev-back.yecor.com https://www.moweb.com https://www.googletagmanager.com https://www.google-analytics.com https://www.facebook.com https://connect.facebook.net https://c.clarity.ms https://c.bing.com`,
    `media-src 'self' data: blob: https://backend.moweb.com https://devbackend.moweb.com https://mwdev-back.yecor.com https://www.moweb.com`,
    `connect-src 'self' https://backend.moweb.com https://devbackend.moweb.com https://mwdev-back.yecor.com https://www.moweb.com https://www.google-analytics.com https://www.facebook.com https://connect.facebook.net https://api.whatsapp.com https://www.clarity.ms https://c.clarity.ms https://e.clarity.ms https://va.tawk.to https://embed.tawk.to wss://embed.tawk.to wss://va.tawk.to wss://moweb-chatbot.workzy.co/ws`,
    `frame-src 'self' https://www.google.com https://www.facebook.com https://connect.facebook.net https://recaptcha.net https://www.recaptcha.net https://embed.tawk.to`,
    `worker-src 'self' blob:`,
    `object-src 'none'`,
    `base-uri 'self'`,
    `form-action 'self' https://backend.moweb.com https://devbackend.moweb.com https://mwdev-back.yecor.com`,
    `frame-ancestors 'none'`,
    `upgrade-insecure-requests`,
  ].join('; ');

  // Clone the request headers and add the nonce for server components to read
  const requestHeaders = new Headers(request.headers);
  requestHeaders.set('x-nonce', nonce);

  const response = NextResponse.next({
    request: {
      headers: requestHeaders,
    },
  });

  // Set Content-Security-Policy header
  response.headers.set('Content-Security-Policy', cspHeader);

  // HSTS — enforce HTTPS with long max-age (APT-010)
  response.headers.set(
    'Strict-Transport-Security',
    'max-age=31536000; includeSubDomains; preload'
  );

  // Ensure Content-Type is set (APT - Content-Type Header Missing)
  if (!response.headers.get('Content-Type')) {
    const pathname = request.nextUrl.pathname;
    if (pathname.endsWith('.js')) {
      response.headers.set('Content-Type', 'application/javascript; charset=utf-8');
    } else if (pathname.endsWith('.css')) {
      response.headers.set('Content-Type', 'text/css; charset=utf-8');
    } else if (pathname.endsWith('.json')) {
      response.headers.set('Content-Type', 'application/json; charset=utf-8');
    } else if (pathname.endsWith('.xml')) {
      response.headers.set('Content-Type', 'application/xml; charset=utf-8');
    } else if (pathname.endsWith('.svg')) {
      response.headers.set('Content-Type', 'image/svg+xml');
    } else if (pathname.endsWith('.webp')) {
      response.headers.set('Content-Type', 'image/webp');
    } else if (pathname.endsWith('.png')) {
      response.headers.set('Content-Type', 'image/png');
    } else if (pathname.endsWith('.jpg') || pathname.endsWith('.jpeg')) {
      response.headers.set('Content-Type', 'image/jpeg');
    } else if (pathname.endsWith('.txt')) {
      response.headers.set('Content-Type', 'text/plain; charset=utf-8');
    }
  }

  // Additional security headers
  response.headers.set('X-Content-Type-Options', 'nosniff');
  response.headers.set('X-Frame-Options', 'DENY');
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
  response.headers.set('X-XSS-Protection', '1; mode=block');
  response.headers.set(
    'Permissions-Policy',
    'camera=(), microphone=(), geolocation=()'
  );

  // Remove server information
  response.headers.delete('X-Powered-By');
  response.headers.delete('Server');

  return response;
}

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - _next/static (static files)
     * - favicon.ico (favicon file)
     * Note: _next/image is NOT excluded so it gets CSP headers (APT-005)
     */
    '/((?!_next/static|favicon.ico).*)',
  ],
};