import cors, { CorsOptions } from "cors";
import express, { Application } from "express";
import helmet from "helmet";
import responseTime from "response-time";
// ❗️ No cargamos dotenv aquí. Debe hacerse en el entrypoint o en ./config.
// dotenv.config();
import { ENV } from "./config";
import { logger } from "./lib/logger";

export function createApp(): Application {
  const app = express();
  app.set("port", process.env.SERVER_PORT ?? 3002);

  // Oculta la cabecera x-powered-by
  app.disable("x-powered-by");

  // Desactiva ETag correctamente a nivel de Express
  app.set("etag", false);

  // ───────────────────────────────────────────────────────────────────────────
  // Parsers
  app.use(express.json());
  app.use(express.text());
  app.use(express.urlencoded({ extended: true }));

  // Métrica de tiempo de respuesta
  app.use(responseTime());

  // ───────────────────────────────────────────────────────────────────────────
  // CORS
  const devCors: CorsOptions = {
    // En desarrollo reflejamos el Origin entrante (permite credenciales)
    origin: true,
    credentials: true,
    methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
    exposedHeaders: [
      "Content-Disposition",
      "Content-Type",
      "Content-Length",
      "X-Total-Count",
      "Pagination-Count",
      "Pagination-Page",
      "Pagination-Limit",
    ],
  };

  const prodCors: CorsOptions = {
    origin: ENV.FRONTEND_URL,
    credentials: true,
    methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
    exposedHeaders: [
      "Content-Disposition",
      "Content-Type",
      "Content-Length",
      "X-Total-Count",
      "Pagination-Count",
      "Pagination-Page",
      "Pagination-Limit",
    ],
  };

  app.use(cors(ENV.NODE_ENV === "development" ? devCors : prodCors));

  // ───────────────────────────────────────────────────────────────────────────
  // Seguridad HTTP
  app.use(helmet());

  // ───────────────────────────────────────────────────────────────────────────
  // Política de caché por defecto (no almacenamiento)
  app.use((_, res, next) => {
    res.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0");
    res.setHeader("Pragma", "no-cache");
    res.setHeader("Expires", "0");
    next();
  });

  // Inicializar Auth Provider (placeholder)
  app.use((_, __, next) => {
    // authProvider.initialize();
    next();
  });

  // Logging de cada request
  app.use((req, _, next) => {
    logger.info(`▶️ Incoming request ${req.method} to ${req.path}`);
    next();
  });

  return app;
}