package com.osleague.groupironmen.config;

import com.osleague.groupironmen.security.TokenAuthenticationFilter;
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfigurationSource;

/**
 * Security configuration for Group Ironmen API.
 *
 * Public endpoints (no authentication):
 * - POST /api/create-group
 * - GET /api/ge-prices
 * - GET /api/captcha-enabled
 * - GET /api/collection-log-info
 *
 * Protected endpoints (token authentication):
 * - All /api/group/{group_name}/** endpoints
 */
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {

    private final TokenAuthenticationFilter tokenAuthenticationFilter;
    private final CorsConfigurationSource corsConfigurationSource;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                // Enable CORS
                .cors(cors -> cors.configurationSource(corsConfigurationSource))

                // Disable CSRF (stateless API with token auth)
                .csrf(AbstractHttpConfigurer::disable)

                // Stateless session (no cookies, no server-side sessions)
                .sessionManagement(session ->
                        session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                )

                // Authorization rules
                .authorizeHttpRequests(auth -> auth
                        // Public endpoints
                        .requestMatchers(
                                "/api/create-group",
                                "/api/ge-prices",
                                "/api/captcha-enabled",
                                "/api/collection-log-info"
                        ).permitAll()

                        // Protected endpoints (require authentication)
                        .requestMatchers("/api/group/**").authenticated()

                        // Actuator endpoints (if enabled)
                        .requestMatchers("/actuator/**").permitAll()

                        // All other requests require authentication by default
                        .anyRequest().authenticated()
                )

                // Add custom token authentication filter before UsernamePasswordAuthenticationFilter
                .addFilterBefore(tokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }
}