import { NextResponse, type NextRequest } from "next/server";

import { LOTTERY_API_V1_BASE } from "./src/api/paths";
import { generateCSP, nonCspSecurityHeaders } from "./src/lib/csp-config";

type RuntimeOriginsEnvelope = {
  code?: number;
  data?: {
    iframe_allowed_origins?: unknown;
  };
};

async function loadRuntimeOrigins(request: NextRequest): Promise<string[]> {
  try {
    const url = new URL(`${LOTTERY_API_V1_BASE}/integration/runtime-origins`, request.url);
    const response = await fetch(url, {
      headers: { Accept: "application/json" },
      cache: "no-store",
    });

    if (!response.ok) return [];

    const payload = (await response.json()) as RuntimeOriginsEnvelope;
    const origins = payload.data?.iframe_allowed_origins;

    if (!Array.isArray(origins)) return [];

    return origins.filter((origin): origin is string => typeof origin === "string");
  } catch {
    return [];
  }
}

export async function middleware(request: NextRequest): Promise<NextResponse> {
  const response = NextResponse.next();
  const runtimeOrigins = await loadRuntimeOrigins(request);

  response.headers.set("Content-Security-Policy", generateCSP(runtimeOrigins));
  for (const header of nonCspSecurityHeaders) {
    response.headers.set(header.key, header.value);
  }

  return response;
}

export const config = {
  matcher: ["/((?!api|_next/static|_next/image|favicon.ico|.*\\..*).*)"],
};