package main

import (
	"log"
	"os"

	"github.com/gin-gonic/gin"
	"github.com/tcs-iptv/tcs/internal/bff"
	"github.com/tcs-iptv/tcs/internal/httpx"
)

// 监管控制台 BFF（三期 B）：浏览器只拿会话令牌，密钥仅存后端。
func main() {
	apiBase := getenv("TCS_API_BASE", "http://localhost:8080")
	addr := getenv("TCS_BFF_ADDR", ":8090")

	b := bff.New(apiBase)
	// 凭证从环境/Vault 加载（此处示例；生产严禁硬编码）
	b.SetCred("regulator", getenv("TCS_AK_REGULATOR", "ak-regulator"), getenv("TCS_SK_REGULATOR", "sk-regulator"))
	b.SetCred("reviewer", getenv("TCS_AK_REVIEWER", "ak-reviewer"), getenv("TCS_SK_REVIEWER", "sk-reviewer"))
	// 控制台用户（生产接 SSO/LDAP + MFA）
	b.AddUser("admin", getenv("TCS_ADMIN_PASS", "admin123"), "regulator")
	b.AddUser("reviewer", getenv("TCS_REVIEWER_PASS", "review123"), "reviewer")

	r := gin.Default()
	httpx.Health(r, "console-bff")
	r.POST("/bff/login", b.Login)
	authed := r.Group("/bff", b.AuthMiddleware())
	authed.Any("/api/*path", b.Proxy) // 浏览器 → BFF → (HMAC) → api-svc

	log.Printf("console-bff listening on %s (proxy → %s)", addr, apiBase)
	if err := r.Run(addr); err != nil {
		log.Fatalf("console-bff failed: %v", err)
	}
}

func getenv(k, def string) string {
	if v := os.Getenv(k); v != "" {
		return v
	}
	return def
}