// src/lib/envValidation.ts

/**
 * Zentrale Validierung aller erforderlichen Environment-Variablen.
 * Wird beim Server-Start aufgerufen und beendet den Prozess bei fehlenden Werten.
 */

interface RequiredEnvVars {
  PAYLOAD_SECRET: string
  DATABASE_URI: string
  CONSENT_LOGGING_API_KEY: string
  IP_ANONYMIZATION_PEPPER: string
}

const FORBIDDEN_VALUES = [
  '',
  'default-pepper-change-me',
  'change-me',
  'your-secret-here',
  'xxx',
]

function validateEnvVar(name: string, value: string | undefined): string {
  if (!value || value.trim() === '') {
    throw new Error(
      `FATAL: Environment variable ${name} is required but not set. ` +
        `Server cannot start without this value.`,
    )
  }

  if (FORBIDDEN_VALUES.includes(value.trim().toLowerCase())) {
    throw new Error(
      `FATAL: Environment variable ${name} has an insecure default value. ` +
        `Please set a secure random value.`,
    )
  }

  return value.trim()
}

/**
 * Validiert alle erforderlichen Environment-Variablen.
 * Wirft einen Fehler und beendet den Server-Start, wenn Variablen fehlen.
 */
export function validateRequiredEnvVars(): RequiredEnvVars {
  return {
    PAYLOAD_SECRET: validateEnvVar('PAYLOAD_SECRET', process.env.PAYLOAD_SECRET),
    DATABASE_URI: validateEnvVar('DATABASE_URI', process.env.DATABASE_URI),
    CONSENT_LOGGING_API_KEY: validateEnvVar(
      'CONSENT_LOGGING_API_KEY',
      process.env.CONSENT_LOGGING_API_KEY,
    ),
    IP_ANONYMIZATION_PEPPER: validateEnvVar(
      'IP_ANONYMIZATION_PEPPER',
      process.env.IP_ANONYMIZATION_PEPPER,
    ),
  }
}

/**
 * Lazy-initialized Environment-Variablen.
 * Wird erst beim ersten Zugriff validiert (vermeidet Build-Probleme).
 */
let _cachedEnv: RequiredEnvVars | null = null

export const env: RequiredEnvVars = new Proxy({} as RequiredEnvVars, {
  get(_, prop: keyof RequiredEnvVars) {
    if (!_cachedEnv) {
      _cachedEnv = validateRequiredEnvVars()
    }
    return _cachedEnv[prop]
  },
})