#!/usr/bin/env bash
# Test NPM API proxy host CREATE endpoint to discover accepted properties.
# Run from repo root. Uses .env for NPM_URL, NPM_EMAIL, NPM_PASSWORD.
# Creates a temporary test host then deletes it. No edits to create-npmplus-defi-oracle-hosts.sh.

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
cd "$PROJECT_ROOT"

# Load .env
_orig_npm_url="${NPM_URL:-}"
_orig_npm_email="${NPM_EMAIL:-}"
_orig_npm_password="${NPM_PASSWORD:-}"
if [ -f .env ]; then
  set +u
  set -a
  # shellcheck source=/dev/null
  source .env 2>/dev/null || true
  set +a
  set -u
  [ -n "$_orig_npm_url" ] && NPM_URL="$_orig_npm_url"
  [ -n "$_orig_npm_email" ] && NPM_EMAIL="$_orig_npm_email"
  [ -n "$_orig_npm_password" ] && NPM_PASSWORD="$_orig_npm_password"
fi

NPM_URL="${NPM_URL:-https://192.168.11.167:81}"
NPM_EMAIL="${NPM_EMAIL:-admin@example.org}"
NPM_PASSWORD="${NPM_PASSWORD:-}"

if [ -z "$NPM_PASSWORD" ]; then
  echo "❌ NPM_PASSWORD required in .env"
  exit 1
fi

# Auth
AUTH_JSON=$(jq -n --arg identity "$NPM_EMAIL" --arg secret "$NPM_PASSWORD" '{identity:$identity,secret:$secret}')
TOKEN_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/tokens" -H "Content-Type: application/json" -d "$AUTH_JSON")
TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token // empty' 2>/dev/null || true)
if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
  echo "❌ NPM auth failed"
  exit 1
fi

echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "NPM API: probe CREATE proxy-hosts (comprehensive test)"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

# 1. Get one existing proxy host to see full response shape (property names)
echo "1. Fetching existing proxy hosts (first host keys only)..."
PROXY_HOSTS_JSON=$(curl -s -k -X GET "$NPM_URL/api/nginx/proxy-hosts" -H "Authorization: Bearer $TOKEN")
FIRST_KEYS=$(echo "$PROXY_HOSTS_JSON" | jq -r 'if type == "array" then (.[0] | keys | join(", ")) else (.[0] // .result[0] // {} | keys | join(", ")) end' 2>/dev/null || echo "unknown")
echo "   First proxy host top-level keys: $FIRST_KEYS"
echo ""

# 2. Check response structure (array vs .result)
if echo "$PROXY_HOSTS_JSON" | jq -e '.result' >/dev/null 2>&1; then
  echo "   API returns proxy hosts in .result array"
  LIST_JQ='.result'
else
  echo "   API returns proxy hosts as top-level array"
  LIST_JQ='.'
fi
echo ""

# Test domain (unique so we can delete after)
TEST_DOMAIN="npm-test-$(date +%s).local"

# 3. Try minimal payload (only fields we believe are required)
echo "2. CREATE with minimal payload (domain_names, forward_scheme, forward_host, forward_port, allow_websocket_upgrade)"
MINIMAL_PAYLOAD=$(jq -n \
  --arg domain "$TEST_DOMAIN" \
  '{
    domain_names: [$domain],
    forward_scheme: "http",
    forward_host: "127.0.0.1",
    forward_port: 80,
    allow_websocket_upgrade: false
  }')
echo "   Payload: $MINIMAL_PAYLOAD"
RESP_MINIMAL=$(curl -s -k -X POST "$NPM_URL/api/nginx/proxy-hosts" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "$MINIMAL_PAYLOAD")
echo "   Response: $RESP_MINIMAL"
if echo "$RESP_MINIMAL" | jq -e '.id' >/dev/null 2>&1; then
  CREATED_ID=$(echo "$RESP_MINIMAL" | jq -r '.id')
  echo "   ✅ Minimal payload ACCEPTED (id=$CREATED_ID)"
  echo ""
  echo "3. Deleting test host (id=$CREATED_ID)..."
  curl -s -k -X DELETE "$NPM_URL/api/nginx/proxy-hosts/$CREATED_ID" -H "Authorization: Bearer $TOKEN" >/dev/null || true
  echo "   Done."
else
  ERR_MSG=$(echo "$RESP_MINIMAL" | jq -r '.message // .error // .error.message // .' 2>/dev/null || echo "$RESP_MINIMAL")
  echo "   ❌ Minimal payload REJECTED: $ERR_MSG"
  echo ""

  # 4. If minimal failed, try with certificate_id and access_list_id (common optional)
  echo "4. CREATE with minimal + certificate_id + access_list_id"
  PAYLOAD_WITH_CERT=$(jq -n \
    --arg domain "$TEST_DOMAIN" \
    '{
      domain_names: [$domain],
      forward_scheme: "http",
      forward_host: "127.0.0.1",
      forward_port: 80,
      allow_websocket_upgrade: false,
      certificate_id: 0,
      access_list_id: 0
    }')
  echo "   Payload: $PAYLOAD_WITH_CERT"
  RESP_CERT=$(curl -s -k -X POST "$NPM_URL/api/nginx/proxy-hosts" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "$PAYLOAD_WITH_CERT")
  echo "   Response: $RESP_CERT"
  if echo "$RESP_CERT" | jq -e '.id' >/dev/null 2>&1; then
    CREATED_ID=$(echo "$RESP_CERT" | jq -r '.id')
    echo "   ✅ Payload with cert/list IDs ACCEPTED (id=$CREATED_ID)"
    curl -s -k -X DELETE "$NPM_URL/api/nginx/proxy-hosts/$CREATED_ID" -H "Authorization: Bearer $TOKEN" >/dev/null || true
  else
    echo "   ❌ Still rejected."
  fi
  echo ""

  # 5. List all keys from first existing host (for reference)
  echo "5. Keys on existing proxy host (for reference):"
  echo "$PROXY_HOSTS_JSON" | jq -r 'if type == "array" then (.[0] | keys) else (.result[0] // .[0] | keys) end' 2>/dev/null | tr -d '[]"' | sed 's/,/\n/g' | sed 's/^/   /' || true
fi

echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "Test complete. Use output above to fix create-npmplus-defi-oracle-hosts.sh payload."
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"