/**
 * SSRF-hardened `fetch` for use whenever the URL we're about to call could
 * be influenced by user input (shop settings, Shopify-supplied product
 * image URLs, DB-stored Files URLs, …).
 *
 * Defenses:
 *   - Only `https:` is allowed by default. `http:` is allowed only for
 *     localhost when `NODE_ENV !== "production"` (handy for local dev).
 *   - Hostname is DNS-resolved and every returned address is checked
 *     against private / loopback / link-local / unique-local ranges.
 *   - The connection is then forced to the resolved IP (with the original
 *     Host header preserved) to defeat DNS-rebinding.
 *   - A hard request timeout is enforced (default 5 s).
 *   - Response size is capped while reading; we abort once the limit is
 *     exceeded instead of buffering the whole body first.
 *   - Redirects are not followed — if the caller wants a redirected target
 *     they have to re-validate it explicitly.
 *
 * The helper returns the raw bytes plus the response status / content-type
 * so callers can decide what to do with them.
 */
import { lookup as dnsLookup } from "node:dns/promises";
import net from "node:net";
import { Agent as HttpAgent } from "node:http";
import { Agent as HttpsAgent } from "node:https";
import http from "node:http";
import https from "node:https";

export interface SafeFetchOptions {
  /** Hard cap in bytes; the read aborts as soon as this is exceeded. */
  maxBytes?: number;
  /** Total request timeout in milliseconds (default 5000). */
  timeoutMs?: number;
  /** Optional `Accept` header. */
  accept?: string;
  /**
   * If non-empty, only hosts whose lowercase name equals one of these or
   * ends with `.<entry>` are allowed. Useful for locking calls to known
   * good CDNs (e.g. `cdn.shopify.com`).
   */
  allowedHosts?: string[];
}

export interface SafeFetchResult {
  status: number;
  contentType: string | null;
  bytes: Uint8Array;
  bytesRead: number;
}

export class SafeFetchError extends Error {
  readonly code: string;
  constructor(code: string, message: string) {
    super(message);
    this.code = code;
    this.name = "SafeFetchError";
  }
}

const DEFAULT_TIMEOUT_MS = 5_000;
const DEFAULT_MAX_BYTES = 8 * 1024 * 1024; // 8 MB

function isPrivateIpv4(ip: string): boolean {
  const parts = ip.split(".").map((n) => parseInt(n, 10));
  if (parts.length !== 4 || parts.some((n) => !Number.isFinite(n) || n < 0 || n > 255)) {
    // Treat malformed addresses as unsafe.
    return true;
  }
  const [a, b] = parts;
  if (a === 10) return true;
  if (a === 127) return true;
  if (a === 0) return true;
  if (a === 169 && b === 254) return true; // link-local + AWS metadata
  if (a === 172 && b >= 16 && b <= 31) return true;
  if (a === 192 && b === 168) return true;
  if (a === 192 && b === 0) return true; // 192.0.0.0/24, 192.0.2.0/24
  if (a === 198 && (b === 18 || b === 19)) return true;
  if (a >= 224) return true; // multicast / reserved
  return false;
}

function isPrivateIpv6(ip: string): boolean {
  const lower = ip.toLowerCase();
  if (lower === "::1" || lower === "::") return true;
  if (lower.startsWith("fe80:")) return true; // link-local
  if (lower.startsWith("fc") || lower.startsWith("fd")) return true; // ULA
  if (lower.startsWith("ff")) return true; // multicast
  // IPv4-mapped: ::ffff:a.b.c.d — apply IPv4 rules
  if (lower.startsWith("::ffff:")) {
    const v4 = lower.slice(7);
    if (v4.includes(".")) return isPrivateIpv4(v4);
  }
  return false;
}

function isPrivateAddress(ip: string, family: number): boolean {
  if (family === 4) return isPrivateIpv4(ip);
  if (family === 6) return isPrivateIpv6(ip);
  return true;
}

function hostMatchesAllowlist(hostname: string, allowed: string[] | undefined): boolean {
  if (!allowed || allowed.length === 0) return true;
  const h = hostname.toLowerCase();
  return allowed.some((entry) => {
    const e = entry.toLowerCase();
    return h === e || h.endsWith(`.${e}`);
  });
}

/**
 * Resolves a hostname to an IPv4/IPv6 address that has been vetted against
 * the private/loopback ranges. Throws `SafeFetchError` if no safe address
 * can be obtained.
 */
async function resolveSafeAddress(hostname: string): Promise<{ address: string; family: number }> {
  // If the hostname is already an IP literal, validate it directly.
  if (net.isIP(hostname)) {
    const family = net.isIPv6(hostname) ? 6 : 4;
    if (isPrivateAddress(hostname, family)) {
      throw new SafeFetchError("blocked-address", `Refusing to connect to private address ${hostname}`);
    }
    return { address: hostname, family };
  }
  let results: { address: string; family: number }[];
  try {
    results = await dnsLookup(hostname, { all: true });
  } catch (err) {
    throw new SafeFetchError("dns-failed", `DNS lookup failed for ${hostname}: ${(err as Error).message}`);
  }
  for (const r of results) {
    if (isPrivateAddress(r.address, r.family)) {
      throw new SafeFetchError("blocked-address", `${hostname} resolves to private address ${r.address}`);
    }
  }
  const first = results[0];
  if (!first) throw new SafeFetchError("dns-empty", `${hostname} resolved to no addresses`);
  return { address: first.address, family: first.family };
}

/**
 * Performs an SSRF-safe HTTP(S) GET. Throws `SafeFetchError` for policy
 * violations; throws plain `Error` for transport failures (mirroring the
 * standard `fetch` error model).
 */
export async function safeFetch(rawUrl: string, opts: SafeFetchOptions = {}): Promise<SafeFetchResult> {
  let url: URL;
  try {
    url = new URL(rawUrl);
  } catch {
    throw new SafeFetchError("bad-url", `Invalid URL: ${rawUrl}`);
  }

  const allowHttp =
    process.env.NODE_ENV !== "production" &&
    (url.hostname === "localhost" || url.hostname === "127.0.0.1" || url.hostname === "::1");
  if (url.protocol !== "https:" && !(url.protocol === "http:" && allowHttp)) {
    throw new SafeFetchError("bad-scheme", `Refusing non-https URL: ${url.protocol}//${url.hostname}`);
  }

  if (!hostMatchesAllowlist(url.hostname, opts.allowedHosts)) {
    throw new SafeFetchError("host-not-allowed", `Host ${url.hostname} is not on the allowlist`);
  }

  const { address, family } = await resolveSafeAddress(url.hostname);

  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
  const maxBytes = opts.maxBytes ?? DEFAULT_MAX_BYTES;

  // Pin the resolved IP. We pass an Agent with a custom `lookup` that always
  // returns our pre-validated address, so the actual TCP connect can't be
  // re-resolved to something else (DNS-rebinding defense).
  //
  // Note: Node 20+ enables Happy Eyeballs (`autoSelectFamily: true`) by
  // default on the http/https agents. Happy Eyeballs calls `lookup` with
  // `{ all: true }` and expects the callback to receive an *array* of
  // `{ address, family }` records. If we ignore that and always invoke the
  // 3-arg form, the connector hands `undefined` to `socket.connect()`,
  // which then throws `Invalid IP address: undefined`.
  type LookupCb =
    | ((err: NodeJS.ErrnoException | null, address: string, family: number) => void)
    | ((err: NodeJS.ErrnoException | null, addresses: { address: string; family: number }[]) => void);
  const pinnedLookup = (
    _hostname: string,
    optionsOrCb: { all?: boolean; family?: number } | LookupCb,
    maybeCb?: LookupCb,
  ) => {
    let options: { all?: boolean; family?: number } = {};
    let cb: LookupCb;
    if (typeof optionsOrCb === "function") {
      cb = optionsOrCb;
    } else {
      options = optionsOrCb ?? {};
      cb = maybeCb as LookupCb;
    }
    if (options.all) {
      (cb as (err: NodeJS.ErrnoException | null, addresses: { address: string; family: number }[]) => void)(
        null,
        [{ address, family }],
      );
    } else {
      (cb as (err: NodeJS.ErrnoException | null, address: string, family: number) => void)(
        null,
        address,
        family,
      );
    }
  };

  const isHttps = url.protocol === "https:";
  const agent = isHttps
    ? new HttpsAgent({ keepAlive: false, lookup: pinnedLookup as never })
    : new HttpAgent({ keepAlive: false, lookup: pinnedLookup as never });

  const headers: Record<string, string> = {
    Host: url.host,
    "User-Agent": "linumiq-invoice/1.0 (+https://linumiq.com)",
  };
  if (opts.accept) headers["Accept"] = opts.accept;

  const requestOptions: http.RequestOptions = {
    method: "GET",
    host: url.hostname,
    port: url.port ? parseInt(url.port, 10) : isHttps ? 443 : 80,
    path: `${url.pathname}${url.search}`,
    headers,
    agent,
    // Defeat redirects (Node's http doesn't follow by default).
  };

  return new Promise<SafeFetchResult>((resolve, reject) => {
    const lib = isHttps ? https : http;
    const req = lib.request(requestOptions, (res) => {
      const status = res.statusCode ?? 0;
      // Reject 3xx — caller must explicitly re-call with the new URL.
      if (status >= 300 && status < 400) {
        res.resume();
        reject(new SafeFetchError("redirect-not-allowed", `Refusing redirect ${status} from ${rawUrl}`));
        return;
      }
      const chunks: Buffer[] = [];
      let total = 0;
      res.on("data", (chunk: Buffer) => {
        total += chunk.length;
        if (total > maxBytes) {
          res.destroy(new SafeFetchError("too-large", `Response exceeded ${maxBytes} bytes`));
          return;
        }
        chunks.push(chunk);
      });
      res.on("end", () => {
        const buf = Buffer.concat(chunks, total);
        resolve({
          status,
          contentType: res.headers["content-type"] ?? null,
          bytes: new Uint8Array(buf),
          bytesRead: total,
        });
      });
      res.on("error", (err) => reject(err));
    });
    req.setTimeout(timeoutMs, () => {
      req.destroy(new SafeFetchError("timeout", `Request to ${url.hostname} exceeded ${timeoutMs}ms`));
    });
    req.on("error", (err) => reject(err));
    req.end();
  });
}

/** Common allowlist for Shopify-served assets (CDN + Files). */
export const SHOPIFY_CDN_HOSTS = ["cdn.shopify.com", "shopifycdn.com", "shopify.com"];