import { getDevBypassViolations } from "@capakraken/api/lib/runtime-security";

const DISALLOWED_PRODUCTION_SECRETS = new Set([
  "dev-secret-change-in-production",
  "changeme",
  "change-me",
  "default",
  "secret",
  "ci-build-placeholder-secret-minimum-32-chars",
  "ci-test-secret-minimum-32-chars-xx",
]);

// A cryptographically generated secret (openssl rand -base64 32 / -hex 32)
// has ≥ 32 ASCII characters and high Shannon entropy (≥ 4 bits per char
// for base64, ≥ 4 for hex). Values below these thresholds are either
// too short to resist offline brute force of the JWT signature, or are
// low-entropy strings like "password1234567890123456789012345678" that
// pass a simple length check but are trivially guessable.
const MIN_AUTH_SECRET_LENGTH = 32;
const MIN_AUTH_SECRET_SHANNON_ENTROPY = 3.5;

function shannonEntropy(value: string): number {
  if (value.length === 0) return 0;
  const counts = new Map<string, number>();
  for (const ch of value) {
    counts.set(ch, (counts.get(ch) ?? 0) + 1);
  }
  let entropy = 0;
  for (const count of counts.values()) {
    const p = count / value.length;
    entropy -= p * Math.log2(p);
  }
  return entropy;
}

type RuntimeEnv = Partial<Record<string, string | undefined>>;

function readEnvValue(env: RuntimeEnv, ...names: string[]): string | null {
  for (const name of names) {
    const value = env[name]?.trim();
    if (value) {
      return value;
    }
  }

  return null;
}

function isProductionLike(env: RuntimeEnv): boolean {
  return (env.NODE_ENV ?? "").trim() === "production";
}

function isLocalhost(hostname: string): boolean {
  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
}

export function getRuntimeEnvViolations(env: RuntimeEnv = process.env): string[] {
  if (!isProductionLike(env)) {
    return [];
  }

  const violations: string[] = [];
  const authSecret = readEnvValue(env, "AUTH_SECRET", "NEXTAUTH_SECRET");
  const authUrl = readEnvValue(env, "AUTH_URL", "NEXTAUTH_URL");

  if (!authSecret) {
    violations.push("AUTH_SECRET or NEXTAUTH_SECRET must be set in production.");
  } else if (DISALLOWED_PRODUCTION_SECRETS.has(authSecret)) {
    violations.push(
      "AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.",
    );
  } else {
    if (authSecret.length < MIN_AUTH_SECRET_LENGTH) {
      violations.push(
        `AUTH_SECRET or NEXTAUTH_SECRET must be at least ${MIN_AUTH_SECRET_LENGTH} characters in production.`,
      );
    }
    if (shannonEntropy(authSecret) < MIN_AUTH_SECRET_SHANNON_ENTROPY) {
      violations.push(
        "AUTH_SECRET or NEXTAUTH_SECRET entropy is too low; generate with `openssl rand -base64 32`.",
      );
    }
  }

  violations.push(...getDevBypassViolations(env));

  if (!authUrl) {
    violations.push("AUTH_URL or NEXTAUTH_URL must be set in production.");
  } else {
    try {
      const parsed = new URL(authUrl);
      if (parsed.protocol !== "https:" && !isLocalhost(parsed.hostname)) {
        violations.push("AUTH_URL or NEXTAUTH_URL must use https in production.");
      }
    } catch {
      violations.push("AUTH_URL or NEXTAUTH_URL must be a valid URL in production.");
    }
  }

  return violations;
}

export function assertSecureRuntimeEnv(env: RuntimeEnv = process.env): void {
  const violations = getRuntimeEnvViolations(env);
  if (violations.length === 0) {
    return;
  }

  throw new Error(`Invalid production runtime configuration: ${violations.join(" ")}`);
}