import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
    const response = NextResponse.next();

    // Security Headers
    const headers = response.headers;

    // Prevent clickjacking
    headers.set('X-Frame-Options', 'SAMEORIGIN');

    // XSS Protection (legacy but still useful)
    headers.set('X-XSS-Protection', '1; mode=block');

    // Prevent MIME type sniffing
    headers.set('X-Content-Type-Options', 'nosniff');

    // Referrer Policy
    headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');

    // Permissions Policy (restrict features)
    headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');

    // Content Security Policy
    const csp = [
        "default-src 'self'",
        "script-src 'self' 'unsafe-inline' 'unsafe-eval'", // Next.js requires unsafe-inline/eval
        "style-src 'self' 'unsafe-inline'", // Allow inline styles
        "img-src 'self' data: blob:",
        "font-src 'self' data:",
        "connect-src 'self' https://openrouter.ai https://gotify.example.com",
        "media-src 'self' blob:",
        "frame-ancestors 'self'",
    ].join('; ');
    headers.set('Content-Security-Policy', csp);

    return response;
}

// Apply middleware to all routes
export const config = {
    matcher: [
        /*
         * Match all request paths except for the ones starting with:
         * - _next/static (static files)
         * - _next/image (image optimization files)
         * - favicon.ico (favicon file)
         */
        '/((?!_next/static|_next/image|favicon.ico).*)',
    ],
};