import express, { type Express } from "express";
import cors from "cors";
import router from "./routes/index.js";
import { responseTimeMiddleware } from "./middlewares/response-time.js";

const app: Express = express();

app.set("trust proxy", 1);

// ── CORS (#5) ────────────────────────────────────────────────────────────────
// CORS_ORIGINS = comma-separated list of allowed origins.
// Default in production: alexanderwhitestone.com (and www. variant).
// Default in development: all origins permitted.
const isProd = process.env["NODE_ENV"] === "production";

const rawOrigins = process.env["CORS_ORIGINS"];
const allowedOrigins: string[] = rawOrigins
  ? rawOrigins.split(",").map((o) => o.trim()).filter(Boolean)
  : isProd
    ? ["https://alexanderwhitestone.com", "https://www.alexanderwhitestone.com"]
    : [];

app.use(
  cors({
    origin:
      allowedOrigins.length === 0
        ? true
        : (origin, callback) => {
            if (!origin || allowedOrigins.includes(origin)) {
              callback(null, true);
            } else {
              callback(new Error(`CORS: origin '${origin}' not allowed`));
            }
          },
    credentials: true,
    methods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
    allowedHeaders: ["Content-Type", "Authorization", "X-Session-Token"],
    exposedHeaders: ["X-Session-Token"],
  }),
);

app.use(express.json());
app.use(express.urlencoded({ extended: true }));
app.use(responseTimeMiddleware);

app.use("/api", router);

app.get("/", (_req, res) => res.redirect("/api/ui"));
app.get("/api", (_req, res) => res.redirect("/api/ui"));

export default app;