package com.trackingpremium.report.config;

import com.trackingpremium.report.filter.TokenAuthenticationFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.filter.CorsFilter;

@Configuration
public class WebSecurityConfig implements WebMvcConfigurer{

    private final TokenAuthenticationFilter tokenAuthenticationFilter;

    @Autowired
    public WebSecurityConfig(TokenAuthenticationFilter tokenAuthenticationFilter) {
        this.tokenAuthenticationFilter = tokenAuthenticationFilter;
    }   

    /**
     * Configuración global de CORS
     */
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")  
                .allowedOrigins(
                        "http://localhost:5173",   // Front local (Vite/Symfony dev)
                        "http://localhost:8080",   // Front local (React)
                        "https://tu-dominio.com",  // Producción
                        "https://7a6f5497f35900797.temporary.link",
                        "https://tpdev.emarketingpremium.com",
                        "https://tp.emarketingpremium.com",
                        "https://tp.multitrack.trackingpremium.us",
                        "https://tpdev.multitrack.trackingpremium.us"
                        
                )
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
                .allowedHeaders("*")
                .allowCredentials(true); // Si necesitas enviar cookies o auth
    }

    /**
     * Configuración de Spring Security para habilitar CORS y desactivar CSRF en desarrollo
     */
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .cors() // Usa la configuración de CORS definida arriba
            .and()
            .addFilterAfter(tokenAuthenticationFilter, CorsFilter.class)
            .csrf().disable(); // Desactivar CSRF (solo si tu API no usa formularios)

        return http.build();
    }
    
          
}