function deriveFromBaseUrl() {
  const base = process.env.NUXT_PUBLIC_BASE_URL || 'http://localhost:3100'
  try {
    const u = new URL(base)
    // Für HTTPS (Port 443) den Port IMMER weglassen, da er standardmäßig ist
    // Für HTTP in Production sollte auch Port 80 weggelassen werden
    // Nur für Development (localhost mit Port) den Port beibehalten
    let origin
    if (u.protocol === 'https:') {
      // HTTPS: Port immer weglassen (443 ist Standard)
      origin = `https://${u.hostname}`
    } else if (u.protocol === 'http:' && u.hostname === 'localhost') {
      // Development: Port beibehalten
      origin = `${u.protocol}//${u.host}`
    } else {
      // HTTP Production: Port 80 weglassen
      origin = u.port === '80' ? `http://${u.hostname}` : `${u.protocol}//${u.host}`
    }
    
    return {
      origin,
      rpId: u.hostname
    }
  } catch {
    return { origin: 'http://localhost:3100', rpId: 'localhost' }
  }
}

function normalizeOrigin(value) {
  try {
    const u = new URL(value)
    if (u.protocol === 'https:') {
      return `https://${u.hostname}`
    }
    if (u.protocol === 'http:' && u.hostname === 'localhost') {
      return `${u.protocol}//${u.host}`
    }
    return u.port === '80' ? `http://${u.hostname}` : `${u.protocol}//${u.host}`
  } catch {
    return value
  }
}

function getAllowedOrigins(origin) {
  const configured = String(process.env.WEBAUTHN_ALLOWED_ORIGINS || '')
    .split(',')
    .map(candidate => normalizeOrigin(candidate.trim()))
    .filter(Boolean)
  const origins = [origin, ...configured]

  // Beide produktiven Hostnamen werden im Browser verwendet und gehoeren zur selben RP-ID.
  if (origin === 'https://harheimertc.de' || origin === 'https://www.harheimertc.de') {
    origins.push('https://harheimertc.de', 'https://www.harheimertc.de')
  }

  return [...new Set(origins)]
}

export function getWebAuthnConfig() {
  const derived = deriveFromBaseUrl()

  const rpId = process.env.WEBAUTHN_RP_ID || derived.rpId
  const rpName = process.env.WEBAUTHN_RP_NAME || 'Harheimer TC'
  
  // WEBAUTHN_ORIGIN hat Priorität, sonst von BASE_URL ableiten
  const origin = normalizeOrigin(process.env.WEBAUTHN_ORIGIN || derived.origin)
  const origins = getAllowedOrigins(origin)

  const requireUV = (process.env.WEBAUTHN_REQUIRE_UV || '').toLowerCase() === 'true'

  console.log('[DEBUG] WebAuthn Config', {
    rpId,
    rpName,
    origin,
    origins,
    requireUV,
    webauthnOriginEnv: process.env.WEBAUTHN_ORIGIN,
    webauthnAllowedOriginsEnv: process.env.WEBAUTHN_ALLOWED_ORIGINS,
    baseUrlEnv: process.env.NUXT_PUBLIC_BASE_URL,
    derivedOrigin: derived.origin
  })

  return { rpId, rpName, origin, origins, requireUV }
}