require 'apartment'
require 'ims/lti'
require 'attr_encrypted'
require 'secure_headers'

module PandaPal
  class Engine < ::Rails::Engine
    config.autoload_once_paths += Dir["#{config.root}/lib/**/"]

    isolate_namespace PandaPal

    config.generators do |g|
      g.test_framework :rspec
      g.fixture_replacement :factory_girl, :dir => 'spec/factories'
    end

    initializer :append_migrations do |app|
      unless app.root.to_s.match root.to_s
        config.paths["db/migrate"].expanded.each do |expanded_path|
          app.config.paths["db/migrate"] << expanded_path
        end
        # Apartment will modify this, but it doesn't fully support engine migrations, so we'll reset it here
        ActiveRecord::Migrator.migrations_paths = Rails.application.paths['db/migrate'].to_a
      end
    end

    initializer 'panda_pal.app_controller' do |app|
      OAUTH_10_SUPPORT = true
      ActiveSupport.on_load(:action_controller) do
        include PandaPal::Helpers::ControllerHelper
      end
    end

    initializer 'panda_pal.route_helper' do |route|
      ActionDispatch::Routing::Mapper.send :include, PandaPal::Helpers::RouteHelper
    end

    initializer 'panda_pal.route_options' do |app|
      ActiveSupport.on_load(:action_controller) do
        Rails.application.reload_routes!
        PandaPal::propagate_lti_navigation
      end
    end

    initializer :secure_headers do |app|
      connect_src = %w('self')
      script_src = %w('self')

      if Rails.env.development?
        # Allow webpack-dev-server to work
        connect_src << "http://localhost:3035"
        connect_src << "ws://localhost:3035"

        # Allow stuff like rack-mini-profiler to work in development:
        # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
        # DON'T ENABLE THIS FOR PRODUCTION!
        script_src << "'unsafe-eval'"
      end

      SecureHeaders::Configuration.default do |config|
        # The default cookie headers aren't compatable with PandaPal cookies currenntly
        config.cookies = { samesite: { none: true } }

        if Rails.env.production?
          config.cookies[:secure] = true
        end

        # Need to allow LTI iframes
        config.x_frame_options = "ALLOWALL"

        config.x_content_type_options = "nosniff"
        config.x_xss_protection = "1; mode=block"
        config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)

        config.csp = {
          default_src: %w('self'),
          script_src: script_src,
          # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
          style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
          font_src: %w('self' data: https://fonts.gstatic.com),
          connect_src: connect_src,
        }
      end

      SecureHeaders::Configuration.override(:safari_override) do |config|
        config.cookies = SecureHeaders::OPT_OUT
      end
    end
  end
end