/**
 * CSRF Token Auto-Injection Plugin
 *
 * Implements the "Double Submit Cookie" pattern for CSRF protection:
 *
 * 1. Server generates CSRF token on login/register
 * 2. Token stored in session database AND sent as readable cookie
 * 3. This plugin reads token from cookie on every request
 * 4. Adds token to X-CSRF-Token header automatically
 * 5. Server validates: cookie matches header AND both match session
 *
 * Security: Attacker can't read cookie due to same-origin policy,
 * so they can't forge the header even if they trick user into making request.
 *
 * No changes needed in components - this runs automatically!
 */

export default defineNuxtPlugin(() => {
  const getCsrfTokenFromCookie = (): string | null => {
    // Read CSRF token from non-httpOnly cookie
    const cookies = document.cookie.split(';')
    for (const cookie of cookies) {
      const [name, value] = cookie.trim().split('=')
      if (name === 'csrf_token') {
        return decodeURIComponent(value)
      }
    }
    return null
  }

  // Intercept $fetch to add CSRF header
  const originalFetch = globalThis.$fetch

  globalThis.$fetch = $fetch.create({
    onRequest({ options }) {
      const csrfToken = getCsrfTokenFromCookie()

      if (csrfToken) {
        // Add CSRF token to headers
        options.headers = options.headers || {}
        if (options.headers instanceof Headers) {
          options.headers.set('X-CSRF-Token', csrfToken)
        } else if (Array.isArray(options.headers)) {
          options.headers.push(['X-CSRF-Token', csrfToken])
        } else {
          (options.headers as Record<string, string>)['X-CSRF-Token'] = csrfToken
        }
      }
    }
  })
})