import express from 'express';
import helmet from 'helmet';
import { ipLimiter } from './lib/rateLimiter.js';
import generateRouter from './routes/generate.js';
import checkLicenceRouter from './routes/checkLicence.js';
import { logger } from './lib/logger.js';

const app  = express();
const PORT = parseInt(process.env.PORT ?? '3010', 10);

// Trust Apache reverse proxy
app.set('trust proxy', 1);

// Security headers
app.use(helmet());
app.use((_req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  next();
});

// Block direct browser access
app.use((req, res, next) => {
  if (req.headers.origin) {
    res.status(403).json({ error: 'browser_direct_access_forbidden' });
    return;
  }
  next();
});

app.use(express.json({ limit: '15mb' }));

// IP rate limiting
app.use('/api/', ipLimiter);

// Health check (no HMAC required)
app.get('/health', (_req, res) => {
  res.json({ status: 'ok', version: '1.0.0' });
});

app.use('/api/generate', generateRouter);
app.use('/api/check-licence', checkLicenceRouter);

// 404
app.use((_req, res) => {
  res.status(404).json({ error: 'not_found' });
});

app.listen(PORT, () => {
  logger.info('NoteToQuote API started', { port: PORT });
});

export default app;
