package middleware

import (
	"net/http"
	"time"

	"github.com/go-chi/httprate"
)

const (
	// loginRateLimit is the maximum number of login attempts
	// per interval.
	loginRateLimit = 5

	// loginRateInterval is the time window for the rate limit.
	loginRateInterval = 1 * time.Minute
)

// LoginRateLimit returns middleware that enforces per-IP rate
// limiting on login attempts using go-chi/httprate. Only POST
// requests are rate-limited; GET requests (rendering the login
// form) pass through unaffected. When the rate limit is exceeded,
// a 429 Too Many Requests response is returned. IP extraction
// honours X-Forwarded-For, X-Real-IP, and True-Client-IP headers
// for reverse-proxy setups.
func (m *Middleware) LoginRateLimit() func(http.Handler) http.Handler {
	limiter := httprate.Limit(
		loginRateLimit,
		loginRateInterval,
		httprate.WithKeyFuncs(httprate.KeyByRealIP),
		httprate.WithLimitHandler(http.HandlerFunc(
			func(w http.ResponseWriter, r *http.Request) {
				m.log.Warn("login rate limit exceeded",
					"path", r.URL.Path,
				)
				http.Error(
					w,
					"Too many login attempts. "+
						"Please try again later.",
					http.StatusTooManyRequests,
				)
			},
		)),
	)

	return func(next http.Handler) http.Handler {
		limited := limiter(next)

		return http.HandlerFunc(func(
			w http.ResponseWriter,
			r *http.Request,
		) {
			// Only rate-limit POST requests (actual login
			// attempts)
			if r.Method != http.MethodPost {
				next.ServeHTTP(w, r)

				return
			}

			limited.ServeHTTP(w, r)
		})
	}
}