"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
const express_1 = __importDefault(require("express"));
const cors_1 = __importDefault(require("cors"));
const helmet_1 = __importDefault(require("helmet"));
const compression_1 = __importDefault(require("compression"));
const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
const path_1 = __importDefault(require("path"));
const config_1 = require("./config/config");
const errorHandler_1 = require("./middleware/errorHandler");
const requestLogger_1 = require("./middleware/requestLogger");
const recipes_1 = __importDefault(require("./routes/recipes"));
const ingredients_1 = __importDefault(require("./routes/ingredients"));
const images_1 = __importDefault(require("./routes/images"));
const health_1 = __importDefault(require("./routes/health"));
const app = (0, express_1.default)();
app.use((0, helmet_1.default)({
    crossOriginResourcePolicy: { policy: "cross-origin" },
}));
app.use((0, compression_1.default)());
const limiter = (0, express_rate_limit_1.default)({
    windowMs: 15 * 60 * 1000,
    max: 100,
    message: 'Too many requests from this IP, please try again later.',
});
app.use(limiter);
const insecureOverride = process.env.ALLOW_INSECURE_CORS === '1';
const isProd = process.env.NODE_ENV === 'production';
let allowedOrigins = [];
if (config_1.config.cors.origin.includes(',')) {
    allowedOrigins = config_1.config.cors.origin.split(',').map(o => o.trim()).filter(Boolean);
}
else if (config_1.config.cors.origin === '*' && (!isProd || insecureOverride)) {
    allowedOrigins = ['*'];
}
else {
    allowedOrigins = [config_1.config.cors.origin];
}
allowedOrigins = Array.from(new Set(allowedOrigins.map(o => o.replace(/\/$/, ''))));
if (!isProd && !allowedOrigins.includes('*')) {
    ['http://localhost:5173', 'http://localhost:3000'].forEach(def => {
        if (!allowedOrigins.includes(def))
            allowedOrigins.push(def);
    });
}
if (isProd && allowedOrigins.includes('*') && !insecureOverride) {
    console.warn('[CORS] Wildcard removed in production. Set CORS_ORIGIN explicitly or ALLOW_INSECURE_CORS=1 (NOT RECOMMENDED).');
    allowedOrigins = allowedOrigins.filter(o => o !== '*');
}
app.use((0, cors_1.default)({
    origin: (origin, callback) => {
        if (!origin)
            return callback(null, true);
        if (allowedOrigins.includes('*') || allowedOrigins.includes(origin.replace(/\/$/, ''))) {
            return callback(null, true);
        }
        console.warn(`[CORS] Blocked origin: ${origin}`);
        return callback(new Error('CORS not allowed for this origin'));
    },
    credentials: true,
}));
app.use((req, res, next) => {
    const origin = req.headers.origin;
    const normalized = origin?.replace(/\/$/, '');
    if (allowedOrigins.includes('*')) {
        res.header('Access-Control-Allow-Origin', origin || '*');
    }
    else if (normalized && allowedOrigins.includes(normalized)) {
        res.header('Access-Control-Allow-Origin', normalized);
    }
    res.header('Access-Control-Allow-Credentials', 'true');
    res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
    res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
    if (req.method === 'OPTIONS') {
        return res.sendStatus(200);
    }
    next();
});
app.use(express_1.default.json({ limit: '10mb' }));
app.use(express_1.default.urlencoded({ extended: true, limit: '10mb' }));
app.use(requestLogger_1.requestLogger);
app.use('/uploads', express_1.default.static(path_1.default.join(process.cwd(), 'uploads')));
app.use('/api/health', health_1.default);
app.use('/api/recipes', recipes_1.default);
app.use('/api/ingredients', ingredients_1.default);
app.use('/api/images', images_1.default);
app.get('/serve/*', (req, res, next) => {
    const imagePath = req.params[0];
    const cleanPath = imagePath.replace(/^uploads\//, '');
    const fullPath = path_1.default.join(process.cwd(), '../../uploads', cleanPath);
    console.log(`Direct serve request: ${req.originalUrl} -> ${fullPath}`);
    const fs = require('fs');
    if (!fs.existsSync(fullPath)) {
        return res.status(404).json({
            success: false,
            message: 'Image not found',
            requestedPath: req.originalUrl,
            resolvedPath: fullPath
        });
    }
    const requestOrigin = req.headers.origin;
    const chosenOrigin = allowedOrigins.includes('*')
        ? (requestOrigin || '*')
        : (requestOrigin && allowedOrigins.includes(requestOrigin) ? requestOrigin : allowedOrigins[0] || 'http://localhost:3000');
    res.set({
        'Access-Control-Allow-Origin': chosenOrigin,
        'Access-Control-Allow-Credentials': 'true',
        'Cache-Control': 'public, max-age=31536000',
    });
    res.sendFile(path_1.default.resolve(fullPath));
});
app.use('*', (req, res) => {
    res.status(404).json({
        success: false,
        message: `Route ${req.originalUrl} not found`,
    });
});
app.use(errorHandler_1.errorHandler);
const PORT = config_1.config.port;
app.listen(PORT, () => {
    console.log(`🚀 Server running on port ${PORT}`);
    console.log(`📱 Health check: http://localhost:${PORT}/api/health`);
    console.log(`🎯 API Documentation: http://localhost:${PORT}/api`);
});
exports.default = app;
//# sourceMappingURL=app.js.map