"""Application configuration."""

import os
from pathlib import Path


class Config:
    """Base configuration."""

    BASE_DIR = Path(__file__).parent.parent
    DATABASE = os.environ.get("FLASKPASTE_DB", BASE_DIR / "data" / "pastes.db")
    PASTE_ID_LENGTH = int(os.environ.get("FLASKPASTE_ID_LENGTH", "12"))

    # Paste size limits
    MAX_PASTE_SIZE_ANON = int(os.environ.get("FLASKPASTE_MAX_ANON", 3 * 1024 * 1024))  # 3MiB
    MAX_PASTE_SIZE_AUTH = int(os.environ.get("FLASKPASTE_MAX_AUTH", 50 * 1024 * 1024))  # 50MiB
    MAX_CONTENT_LENGTH = MAX_PASTE_SIZE_AUTH  # Flask request limit

    # Paste expiry (default 5 days)
    PASTE_EXPIRY_SECONDS = int(os.environ.get("FLASKPASTE_EXPIRY", 5 * 24 * 60 * 60))

    # Content deduplication / abuse prevention
    # Throttle repeated submissions of identical content
    CONTENT_DEDUP_WINDOW = int(os.environ.get("FLASKPASTE_DEDUP_WINDOW", 3600))  # 1 hour
    CONTENT_DEDUP_MAX = int(os.environ.get("FLASKPASTE_DEDUP_MAX", 3))  # max 3 per window

    # Reverse proxy trust configuration
    # SECURITY: The X-SSL-Client-SHA1 header is trusted for authentication.
    # This header MUST only come from a trusted reverse proxy that validates
    # client certificates. Direct access to this app MUST be blocked.
    #
    # Set FLASKPASTE_PROXY_SECRET to require the proxy to send a matching
    # X-Proxy-Secret header, providing defense-in-depth against header spoofing.
    TRUSTED_PROXY_SECRET = os.environ.get("FLASKPASTE_PROXY_SECRET", "")

    # Proof-of-work spam prevention
    # Clients must solve a computational puzzle before paste creation.
    # Difficulty is number of leading zero bits required in hash (0 = disabled).
    POW_DIFFICULTY = int(os.environ.get("FLASKPASTE_POW_DIFFICULTY", "16"))
    POW_CHALLENGE_TTL = int(os.environ.get("FLASKPASTE_POW_TTL", "300"))  # 5 minutes
    # Secret key for signing challenges (auto-generated if not set)
    POW_SECRET = os.environ.get("FLASKPASTE_POW_SECRET", "")


class DevelopmentConfig(Config):
    """Development configuration."""

    DEBUG = True


class ProductionConfig(Config):
    """Production configuration."""

    DEBUG = False


class TestingConfig(Config):
    """Testing configuration."""

    TESTING = True
    DATABASE = ":memory:"

    # Relaxed dedup for testing (100 per second window)
    CONTENT_DEDUP_WINDOW = 1
    CONTENT_DEDUP_MAX = 100

    # Disable PoW for most tests (easier testing)
    POW_DIFFICULTY = 0


config = {
    "development": DevelopmentConfig,
    "production": ProductionConfig,
    "testing": TestingConfig,
    "default": DevelopmentConfig,
}