package kate

import (
	"net/http"
	"net/url"
	"strings"
)

// Redirects configures redirect behavior for authentication handlers.
type Redirects struct {
	// Default is the default URL to redirect to after successful authentication
	Default string

	// AllowedPrefixes is a list of allowed redirect URL prefixes for security.
	//
	// If empty, any redirect target is allowed (not recommended for production)
	AllowedPrefixes []string

	// FieldName is the form/query field name for the redirect target
	//
	// If empty, Default will always be used as the target
	FieldName string
}

func (r Redirects) isValid(target string) bool {
	targetURL, err := url.Parse(target)
	if err != nil {
		return false
	}
	if targetURL.IsAbs() && targetURL.Host != "" {
		return false
	}

	if len(r.AllowedPrefixes) == 0 {
		return true
	}

	for _, prefix := range r.AllowedPrefixes {
		if strings.HasPrefix(target, prefix) {
			return true
		}
	}
	return false
}

func (r Redirects) target(req *http.Request) string {
	d := r.Default
	if d == "" {
		d = "/"
	}

	if r.FieldName == "" {
		return d
	}
	if err := req.ParseForm(); err != nil {
		return d
	}

	target := req.Form.Get(r.FieldName)
	if target != "" && r.isValid(target) {
		return target
	}
	return d
}