<?php

use App\Http\Middleware\BasicAuthMiddleware;
use App\Http\Middleware\LogApiUsage;
use App\Http\Middleware\RejectLegacyApiKeys;
use App\Http\Middleware\SetCurrentPortal;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Http\Request;
use Laravel\Sanctum\Http\Middleware\CheckAbilities;
use Laravel\Sanctum\Http\Middleware\CheckForAnyAbility;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/domains.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {

        // Portal-Kontext nach dem Theme-Provider setzen (liest config('app.theme'))
        $middleware->append(SetCurrentPortal::class);

        // Wohin eingeloggte User von Gast-Routen (/login, /register) gelenkt
        // werden: rollen- und verifizierungsbewusst statt fix auf /dashboard,
        // sonst landet ein Customer dort im 403 und sitzt fest.
        $middleware->redirectUsersTo(function (Request $request) {
            $user = $request->user();

            if ($user && ! $user->hasVerifiedEmail()) {
                return route('verification.notice');
            }

            if ($user?->canAccessAdmin()) {
                return route('dashboard');
            }

            return $user?->canAccessCustomer() ? route('me.dashboard') : '/';
        });

        $middleware->api(prepend: [
            LogApiUsage::class,
            RejectLegacyApiKeys::class,
        ]);

        $middleware->alias([
            'abilities' => CheckAbilities::class,
            'ability' => CheckForAnyAbility::class,
        ]);

        // BasicAuth ganz am Ende, nach Session-Middleware
        if (env('BASIC_AUTH_ENABLED', true)) {
            $middleware->append(BasicAuthMiddleware::class);
        }
        // Trust all proxies (for Traefik/Docker setup)
        $middleware->trustProxies(
            at: '*',
            headers: Request::HEADER_X_FORWARDED_FOR |
                Request::HEADER_X_FORWARDED_HOST |
                Request::HEADER_X_FORWARDED_PORT |
                Request::HEADER_X_FORWARDED_PROTO
        );
    })
    ->withExceptions(function (Exceptions $exceptions) {
        //
    })->create();