<?php

use App\Http\Middleware\BasicAuthMiddleware;
use App\Http\Middleware\LogApiUsage;
use App\Http\Middleware\RejectLegacyApiKeys;
use App\Http\Middleware\SetCurrentPortal;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Http\Request;
use Laravel\Sanctum\Http\Middleware\CheckAbilities;
use Laravel\Sanctum\Http\Middleware\CheckForAnyAbility;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/domains.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {

        // Portal-Kontext nach dem Theme-Provider setzen (liest config('app.theme'))
        $middleware->append(SetCurrentPortal::class);

        $middleware->api(prepend: [
            LogApiUsage::class,
            RejectLegacyApiKeys::class,
        ]);

        $middleware->alias([
            'abilities' => CheckAbilities::class,
            'ability' => CheckForAnyAbility::class,
        ]);

        // BasicAuth ganz am Ende, nach Session-Middleware
        if (env('BASIC_AUTH_ENABLED', true)) {
            $middleware->append(BasicAuthMiddleware::class);
        }
        // Trust all proxies (for Traefik/Docker setup)
        $middleware->trustProxies(
            at: '*',
            headers: Request::HEADER_X_FORWARDED_FOR |
                Request::HEADER_X_FORWARDED_HOST |
                Request::HEADER_X_FORWARDED_PORT |
                Request::HEADER_X_FORWARDED_PROTO
        );
    })
    ->withExceptions(function (Exceptions $exceptions) {
        //
    })->create();