import { NextRequest, NextResponse } from 'next/server'

const securityHeaders: Record<string, string> = {
  'X-Content-Type-Options': 'nosniff',
  'X-Frame-Options': 'DENY',
  'X-XSS-Protection': '1; mode=block',
  'Referrer-Policy': 'strict-origin-when-cross-origin',
}

const rateLimitStore = new Map<string, { count: number; resetTime: number }>()

function getIp(req: NextRequest): string {
  return req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
    req.headers.get('x-real-ip') || 'unknown'
}

function isRateLimited(key: string, maxReqs: number, windowMs: number): boolean {
  const now = Date.now()
  const entry = rateLimitStore.get(key)

  if (!entry || now > entry.resetTime) {
    rateLimitStore.set(key, { count: 1, resetTime: now + windowMs })
    return false
  }

  if (entry.count >= maxReqs) return true
  entry.count++
  return false
}

export function middleware(req: NextRequest) {
  const { pathname } = req.nextUrl
  const ip = getIp(req)

  // Login brute force protection
  if (pathname === '/dmcify/api/auth/callback/credentials' && req.method === 'POST') {
    if (isRateLimited(`login:${ip}`, 5, 15 * 60 * 1000)) {
      return NextResponse.json(
        { message: 'Too many login attempts. Please try again later.' },
        { status: 429, headers: securityHeaders }
      )
    }
  }

  // API rate limiting
  if (pathname.startsWith('/dmcify/api/') && !pathname.startsWith('/dmcify/api/auth/')) {
    const isWrite = ['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)
    const limit = isWrite ? 30 : 60
    if (isRateLimited(`api:${ip}:${isWrite ? 'w' : 'r'}`, limit, 60 * 1000)) {
      return NextResponse.json(
        { message: 'Too many requests. Please slow down.' },
        { status: 429, headers: securityHeaders }
      )
    }
  }

  const response = NextResponse.next()
  for (const [key, value] of Object.entries(securityHeaders)) {
    response.headers.set(key, value)
  }

  return response
}

export const config = {
  matcher: ['/dmcify/api/:path*'],
}