#!/bin/bash

# Security validation for Trip With Us

echo "=== Security Validation ==="

# Configuration
SECURITY_THRESHOLD=8  # Out of 10

# Create security reports directory
mkdir -p ../state/security-reports

# Environment variable security check
echo "🔒 Checking environment variable security..."

security_score=10
security_issues=0

# Check for hardcoded secrets
echo "🔍 Scanning for hardcoded secrets..."
secret_patterns=(
    "SUPABASE_SERVICE_KEY"
    "OPENAI_API_KEY"
    "TWILIO_ACCOUNT_SID"
    "TWILIO_AUTH_TOKEN"
    "SENDGRID_API_KEY"
    "MAPBOX_ACCESS_TOKEN"
    "sk-[a-zA-Z0-9]"
    "xoxb-[a-zA-Z0-9]"
    "AIza[a-zA-Z0-9]"
)

hardcoded_secrets=0
for pattern in "${secret_patterns[@]}"; do
    matches=$(grep -r "$pattern" ../../src/ --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" 2>/dev/null | grep -v "process.env" | wc -l)
    hardcoded_secrets=$((hardcoded_secrets + matches))
done

if [ "$hardcoded_secrets" -eq 0 ]; then
    echo "✅ No hardcoded secrets found"
else
    echo "❌ Found $hardcoded_secrets potential hardcoded secrets"
    echo "🔍 Secret locations:"
    for pattern in "${secret_patterns[@]}"; do
        grep -rn "$pattern" ../../src/ --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" 2>/dev/null | grep -v "process.env" | head -3
    done
    security_score=$((security_score - 3))
    ((security_issues++))
fi

# Environment file security
echo "🔍 Checking environment file security..."
if [ -f "../../.env" ]; then
    if [ -f "../../.gitignore" ] && grep -q "\.env" ../../.gitignore; then
        echo "✅ .env file properly ignored in git"
    else
        echo "❌ .env file not in .gitignore"
        security_score=$((security_score - 2))
        ((security_issues++))
    fi
    
    # Check for example file
    if [ -f "../../.env.example" ]; then
        echo "✅ .env.example file exists"
        
        # Check if example has actual values
        if grep -q "=.*[a-zA-Z0-9]" ../../.env.example && ! grep -q "your_" ../../.env.example && ! grep -q "example" ../../.env.example; then
            echo "⚠️  .env.example may contain real values"
            security_score=$((security_score - 1))
        fi
    else
        echo "⚠️  No .env.example file found"
    fi
else
    echo "⚠️  No .env file found"
fi

# Check package vulnerabilities
echo "🔍 Checking package vulnerabilities..."
if command -v npm >/dev/null 2>&1; then
    vuln_output=$(cd ../.. && npm audit --audit-level moderate 2>&1)
    vuln_exit_code=$?
    
    if [ $vuln_exit_code -eq 0 ]; then
        echo "✅ No known vulnerabilities found"
    else
        # Parse audit results
        high_vulns=$(echo "$vuln_output" | grep -o '[0-9]\+ high' | grep -o '[0-9]\+' || echo "0")
        moderate_vulns=$(echo "$vuln_output" | grep -o '[0-9]\+ moderate' | grep -o '[0-9]\+' || echo "0")
        low_vulns=$(echo "$vuln_output" | grep -o '[0-9]\+ low' | grep -o '[0-9]\+' || echo "0")
        
        echo "📊 Vulnerability Report:"
        echo "  High: $high_vulns"
        echo "  Moderate: $moderate_vulns"
        echo "  Low: $low_vulns"
        
        if [ "$high_vulns" -gt 0 ]; then
            echo "❌ High severity vulnerabilities found"
            security_score=$((security_score - 3))
            ((security_issues++))
        elif [ "$moderate_vulns" -gt 5 ]; then
            echo "⚠️  Multiple moderate vulnerabilities"
            security_score=$((security_score - 1))
        fi
        
        # Save audit report
        echo "$vuln_output" > ../state/security-reports/npm-audit.txt
    fi
else
    echo "⚠️  npm not available for vulnerability check"
fi

# HTTPS and security headers check
echo "🔍 Checking security configurations..."

# Check for HTTPS enforcement
https_redirect=$(grep -r "https\|ssl\|secure" ../../src/ --include="*.ts" --include="*.tsx" | wc -l)
if [ "$https_redirect" -gt 0 ]; then
    echo "✅ HTTPS references found in code"
else
    echo "⚠️  No HTTPS enforcement found"
fi

# Check for CSP (Content Security Policy)
csp_usage=$(grep -r "Content-Security-Policy\|CSP" ../../src/ ../../public/ --include="*.html" --include="*.ts" --include="*.tsx" 2>/dev/null | wc -l)
if [ "$csp_usage" -gt 0 ]; then
    echo "✅ Content Security Policy configured"
else
    echo "⚠️  No Content Security Policy found"
    echo "Consider adding CSP headers for XSS protection"
fi

# Check for dangerous functions
echo "🔍 Scanning for dangerous coding patterns..."

dangerous_patterns=0

# innerHTML usage
innerhtml_usage=$(grep -r "innerHTML\|outerHTML" ../../src/ --include="*.ts" --include="*.tsx" | wc -l)
if [ "$innerhtml_usage" -gt 0 ]; then
    echo "⚠️  Found $innerhtml_usage innerHTML/outerHTML usages"
    echo "Consider using textContent or React's dangerouslySetInnerHTML with sanitization"
    dangerous_patterns=$((dangerous_patterns + innerhtml_usage))
fi

# eval usage
eval_usage=$(grep -r "\beval\s*(" ../../src/ --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" | wc -l)
if [ "$eval_usage" -gt 0 ]; then
    echo "❌ Found $eval_usage eval() usages"
    echo "eval() can be dangerous and should be avoided"
    security_score=$((security_score - 2))
    dangerous_patterns=$((dangerous_patterns + eval_usage))
    ((security_issues++))
fi

# document.write usage
docwrite_usage=$(grep -r "document\.write" ../../src/ --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" | wc -l)
if [ "$docwrite_usage" -gt 0 ]; then
    echo "⚠️  Found $docwrite_usage document.write usages"
    dangerous_patterns=$((dangerous_patterns + docwrite_usage))
fi

if [ "$dangerous_patterns" -eq 0 ]; then
    echo "✅ No dangerous coding patterns found"
fi

# Supabase Row Level Security check
echo "🔍 Checking Supabase Row Level Security..."
if [ -d "../../supabase/migrations" ]; then
    rls_enabled=$(grep -r "ENABLE ROW LEVEL SECURITY" ../../supabase/migrations --include="*.sql" | wc -l)
    rls_policies=$(grep -r "CREATE POLICY" ../../supabase/migrations --include="*.sql" | wc -l)
    
    echo "📊 RLS Analysis:"
    echo "  Tables with RLS: $rls_enabled"
    echo "  Policies defined: $rls_policies"
    
    if [ "$rls_enabled" -gt 0 ] && [ "$rls_policies" -gt 0 ]; then
        echo "✅ Row Level Security implemented"
    else
        echo "❌ Insufficient Row Level Security"
        echo "Implement RLS for data protection"
        security_score=$((security_score - 2))
        ((security_issues++))
    fi
    
    # Check for public access policies
    public_policies=$(grep -r "TO public\|TO anon" ../../supabase/migrations --include="*.sql" | wc -l)
    if [ "$public_policies" -gt 10 ]; then
        echo "⚠️  High number of public access policies ($public_policies)"
        echo "Review public access permissions"
    fi
else
    echo "⚠️  No Supabase migrations found"
fi

# Authentication security check
echo "🔍 Checking authentication security..."

# Check for JWT handling
jwt_usage=$(grep -r "jwt\|token" ../../src/ --include="*.ts" --include="*.tsx" | grep -i "localStorage\|sessionStorage" | wc -l)
if [ "$jwt_usage" -gt 0 ]; then
    echo "⚠️  Found $jwt_usage token storage instances"
    echo "Ensure tokens are stored securely (consider httpOnly cookies)"
fi

# Check for password handling
password_patterns=$(grep -r "password" ../../src/ --include="*.ts" --include="*.tsx" | grep -v "type\|interface\|placeholder" | wc -l)
if [ "$password_patterns" -gt 0 ]; then
    echo "📊 Password handling: $password_patterns references"
    
    # Check for password logging
    password_logs=$(grep -r "console.*password\|log.*password" ../../src/ --include="*.ts" --include="*.tsx" | wc -l)
    if [ "$password_logs" -gt 0 ]; then
        echo "❌ Found password logging - security risk"
        security_score=$((security_score - 2))
        ((security_issues++))
    fi
fi

# Input validation check
echo "🔍 Checking input validation..."

# Check for Zod usage (Trip With Us uses Zod for validation)
zod_usage=$(grep -r "import.*zod\|\.parse(\|\.safeParse(" ../../src/ --include="*.ts" --include="*.tsx" | wc -l)
if [ "$zod_usage" -gt 5 ]; then
    echo "✅ Good input validation with Zod ($zod_usage instances)"
else
    echo "⚠️  Limited input validation found"
    echo "Consider adding more comprehensive input validation"
fi

# Check for React Hook Form validation
form_validation=$(grep -r "react-hook-form" ../../src/ --include="*.ts" --include="*.tsx" | wc -l)
if [ "$form_validation" -gt 0 ]; then
    echo "✅ Form validation implemented ($form_validation instances)"
fi

# CORS configuration check
echo "🔍 Checking CORS configuration..."
cors_config=$(grep -r "cors\|Cross-Origin" ../../src/ ../../supabase/ --include="*.ts" --include="*.tsx" --include="*.toml" | wc -l)
if [ "$cors_config" -gt 0 ]; then
    echo "✅ CORS configuration found"
    
    # Check for overly permissive CORS
    wildcard_cors=$(grep -r "\*" ../../supabase/ | grep -i cors | wc -l)
    if [ "$wildcard_cors" -gt 0 ]; then
        echo "⚠️  Wildcard CORS detected - review for production"
    fi
else
    echo "ℹ️  No explicit CORS configuration found"
fi

# File upload security
echo "🔍 Checking file upload security..."
upload_code=$(grep -r "upload\|file" ../../src/ --include="*.ts" --include="*.tsx" | grep -i "supabase\|storage" | wc -l)
if [ "$upload_code" -gt 0 ]; then
    echo "📊 File upload functionality detected ($upload_code instances)"
    
    # Check for file type validation
    file_validation=$(grep -r "mime\|extension\|\.type" ../../src/ --include="*.ts" --include="*.tsx" | wc -l)
    if [ "$file_validation" -gt 0 ]; then
        echo "✅ File validation found"
    else
        echo "⚠️  No file type validation found"
        echo "Add file type and size validation for uploads"
    fi
fi

# Generate security score
echo ""
echo "📊 Security Assessment:"
echo "  Security Score: $security_score/10"
echo "  Issues Found: $security_issues"

if [ "$security_score" -ge "$SECURITY_THRESHOLD" ]; then
    echo "✅ Security validation passed"
    security_status="pass"
else
    echo "❌ Security improvements needed"
    security_status="fail"
fi

# Generate security report
cat > ../state/security-validation-report.json << EOF
{
  "timestamp": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
  "security_score": $security_score,
  "security_issues": $security_issues,
  "status": "$security_status",
  "checks": {
    "hardcoded_secrets": $hardcoded_secrets,
    "environment_security": $([ -f "../../.env" ] && grep -q "\.env" ../../.gitignore 2>/dev/null && echo "true" || echo "false"),
    "package_vulnerabilities": {
      "high": ${high_vulns:-0},
      "moderate": ${moderate_vulns:-0},
      "low": ${low_vulns:-0}
    },
    "dangerous_patterns": $dangerous_patterns,
    "rls_enabled": $([ "${rls_enabled:-0}" -gt 0 ] && echo "true" || echo "false"),
    "rls_policies": ${rls_policies:-0},
    "input_validation": $zod_usage,
    "form_validation": $([ "$form_validation" -gt 0 ] && echo "true" || echo "false"),
    "cors_configured": $([ "$cors_config" -gt 0 ] && echo "true" || echo "false"),
    "file_upload_security": $([ "${file_validation:-0}" -gt 0 ] && echo "true" || echo "false")
  },
  "recommendations": []
}
EOF

# Add recommendations based on findings
if [ "$hardcoded_secrets" -gt 0 ]; then
    echo "🔧 CRITICAL: Remove hardcoded secrets and use environment variables"
fi

if [ "$security_issues" -gt 0 ]; then
    echo "🔧 Review and fix security issues before deployment"
fi

if [ "${rls_enabled:-0}" -eq 0 ]; then
    echo "🔧 Implement Row Level Security policies for database protection"
fi

echo "📄 Security report saved to meta-agent/state/security-validation-report.json"
echo "✅ Security validation completed"