import { getWebAuthnConfig } from '../../utils/webauthn-config.js'

// Falls Nitro/H3-Globals fehlen: sichere Fallbacks auf globalThis setzen (vermeidet ESLint "no-redeclare")
if (typeof globalThis.getHeader === 'undefined') {
  globalThis.getHeader = (e, name) => (e?.req?.headers?.[String(name).toLowerCase()] ?? null)
}
if (typeof globalThis.setHeader === 'undefined') {
  globalThis.setHeader = (e, name, value) => { try { if (e?.res?.setHeader) e.res.setHeader(name, value); else if (e?.node?.res?.setHeader) e.node.res.setHeader(name, value) } catch (err) { void 0 } }
}
if (typeof globalThis.setResponseStatus === 'undefined') {
  globalThis.setResponseStatus = (e, status) => { try { if (e?.res) e.res.statusCode = status; else if (e?.node?.res) e.node.res.statusCode = status } catch (err) { void 0 } }
}

export default defineEventHandler(async (event) => {
  const requestOrigin = getHeader(event, 'origin')
  const { origin: webauthnOrigin } = getWebAuthnConfig()
  
  const userAgent = getHeader(event, 'user-agent')
  const ip = getHeader(event, 'x-forwarded-for') || getHeader(event, 'x-real-ip') || 'unknown'
  
  console.log('[DEBUG] ===== OPTIONS preflight for /api/auth/register-passkey =====')
  console.log('[DEBUG] OPTIONS Request Details:', {
    origin: requestOrigin || 'none',
    webauthnOrigin,
    userAgent: userAgent?.substring(0, 100) || 'none',
    ip,
    timestamp: new Date().toISOString(),
    note: 'OPTIONS Preflight für Cross-Device Passkey - Wenn dieser Request vom Smartphone kommt, sollte der User-Agent Mobile/Android/iPhone enthalten'
  })

  // CORS-Header für Cross-Device Authentication
  const allowedOrigin = requestOrigin || webauthnOrigin
  
  if (allowedOrigin) {
    setHeader(event, 'Access-Control-Allow-Origin', allowedOrigin)
    setHeader(event, 'Access-Control-Allow-Credentials', 'true')
    setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
    setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization, Origin, X-Requested-With')
    setHeader(event, 'Access-Control-Max-Age', '86400') // 24 Stunden Cache für Preflight
    console.log('[DEBUG] CORS headers set for OPTIONS', { 
      origin: allowedOrigin,
      requestOrigin,
      webauthnOrigin
    })
  }

  // OPTIONS Preflight-Request: 204 No Content
  globalThis.setResponseStatus(event, 204)
  return null
})