package com.sigem.gis.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    private final JwtAuthenticationFilter jwtAuthFilter;

    public SecurityConfig(JwtAuthenticationFilter jwtAuthFilter) {
        this.jwtAuthFilter = jwtAuthFilter;
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .csrf(csrf -> csrf.disable()) // Deshabilitado para APIs REST (Stateless con JWT)
            .cors(cors -> cors.disable()) // Modificable luego para permitir conexiones cruzadas
            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(authz -> authz
                // Accesos no autenticados permitidos
                .requestMatchers("/api/auth/**").permitAll() // Login
                .requestMatchers("/api/admin/**").permitAll() // Admin FDW
                .requestMatchers("/api/gis/**").permitAll() // API Datos GIS (Estadísticas)
                .requestMatchers("/login.html", "/", "/mapas/**", "/login", "/error", "/landing", "/landing.html", "/widgets", "/widgets.html").permitAll()
                .requestMatchers("/mapas_institucional.html").permitAll()
                .requestMatchers("/css/**", "/js/**", "/img/**", "/vendor/**").permitAll() // Recursos
                .requestMatchers("/gwc/**", "/sigem/**", "/wms/**", "/wfs/**", "/rest/**").permitAll() // Proxy Geoserver
                
                // Todas las demás llamadas API estarán protegidas mediante JWT
                .requestMatchers("/api/**").authenticated()
                .anyRequest().permitAll()
            )
            .httpBasic(basic -> basic.disable()) // Deshabilitar específicamente HTTP Basic
            .formLogin(form -> form.disable())   // Deshabilitar específicamente el formulario por defecto
            // Interceptor que inyecta la lógica de JWT antes de procesar el Username/Password estándar
            .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
            .headers(headers -> headers.frameOptions(frame -> frame.sameOrigin()));

        return http.build();
    }
}