require 'secure_headers'

module CoalescingPanda
  class Engine < ::Rails::Engine
    config.autoload_once_paths += Dir["#{config.root}/lib/**/"]
    isolate_namespace CoalescingPanda

    config.generators do |g|
      g.test_framework :rspec
      g.fixture_replacement :factory_girl, :dir => 'spec/factories'
    end

    initializer :append_migrations do |app|
      unless app.root.to_s.match root.to_s
        config.paths["db/migrate"].expanded.each do |expanded_path|
          app.config.paths["db/migrate"] << expanded_path
        end
      end
    end

    initializer 'coalescing_panda.app_controller' do |app|
      OAUTH_10_SUPPORT = true
      ActiveSupport.on_load(:action_controller) do
        include CoalescingPanda::ControllerHelpers
      end
    end

    initializer 'coalescing_panda.assets' do |app|
      app.config.assets.precompile << 'coalescing_panda/manifest.js'
    end

    initializer 'cloaescing_panda.route_helper' do |route|
      ActionDispatch::Routing::Mapper.send :include, CoalescingPanda::RouteHelpers
    end

    initializer 'coalescing_panda.route_options', :after => :disable_dependency_loading do |app|
      ActiveSupport.on_load(:action_controller) do
        #force the routes to load
        Rails.application.reload_routes!
        CoalescingPanda::propagate_lti_navigation
      end
    end

    initializer :secure_headers do |app|
      connect_src = %w('self')
      script_src = %w('self')

      if Rails.env.development?
        # Allow webpack-dev-server to work
        connect_src << "http://localhost:3035"
        connect_src << "ws://localhost:3035"

        # Allow stuff like rack-mini-profiler to work in development:
        # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
        # DON'T ENABLE THIS FOR PRODUCTION!
        script_src << "'unsafe-eval'"
      elsif CoalescingPanda.lti_options.has_key?(:allow_unsafe_eval) && CoalescingPanda.lti_options[:allow_unsafe_eval] == true
        # For when code is returned from server and injected into dom.  Need to have unsafe-eval or it won't work.
        script_src << "'unsafe-eval'"
      end

      SecureHeaders::Configuration.default do |config|
        # The default cookie headers aren't compatible with PandaPal cookies currently
        config.cookies = { samesite: { none: true } }

        if Rails.env.production?
          config.cookies[:secure] = true
        end

        # Need to allow LTI iframes
        config.x_frame_options = "ALLOWALL"

        config.x_content_type_options = "nosniff"
        config.x_xss_protection = "1; mode=block"
        config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)

        config.csp = {
            default_src: %w('self'),
            script_src: script_src,
            # Certain CSS-in-JS libraries inline the CSS, so we need to use unsafe-inline for them
            style_src: %w('self' 'unsafe-inline' blob: https://fonts.googleapis.com),
            font_src: %w('self' data: https://fonts.gstatic.com),
            connect_src: connect_src,
        }
      end

      SecureHeaders::Configuration.override(:safari_override) do |config|
        config.cookies = SecureHeaders::OPT_OUT
      end

      SecureHeaders::Configuration.override(:allow_inline_scripts) do |config|
        config.csp[:script_src] << "'unsafe-inline'"
      end
    end

  end
end