package com.qf.myafterprojecy.config;

import javax.ws.rs.HttpMethod;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

/**
 * Spring Security配置类
 * 配置权限管理功能
 */
@Configuration
@EnableWebSecurity
// 启用方法级别的安全控制
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Autowired
    private JwtAuthenticationFilter jwtAuthenticationFilter;

    /**
     * 配置AuthenticationManager Bean
     * 使用AuthenticationConfiguration来获取认证管理器，这是更现代的方式
     */
    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }

    /**
     * 配置安全过滤器链
     * @param http HttpSecurity对象，用于配置HTTP安全策略
     * @return 配置好的SecurityFilterChain对象
     * @throws Exception 配置过程中可能出现的异常
     */
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            // 禁用CSRF保护（对于API服务通常不需要）
            .csrf().disable()
            // 配置URL访问权限
            .authorizeRequests()
                // 允许公开访问的路径
                // 公开get请求
                .antMatchers(HttpMethod.GET,"/api/auth/**").permitAll()
                .antMatchers(HttpMethod.GET,"/api/help/**").permitAll()
                .antMatchers(HttpMethod.GET,"/api/category-attributes/**").permitAll()
                .antMatchers(HttpMethod.GET,"/api/markdowns/**").permitAll()
                .antMatchers(HttpMethod.GET,"/api/articles/**").permitAll()
                .antMatchers(HttpMethod.GET,"/api/messages/**").permitAll()
                .antMatchers(HttpMethod.GET,"/api/categories/**").permitAll()
                // 公开post请求
                .antMatchers(HttpMethod.POST,"/api/messages/**").permitAll()
                .antMatchers(HttpMethod.POST,"/api/users/**").permitAll()
                // 管理员才能访问的路径
                .antMatchers("/api/admin/**").hasRole("ADMIN")
                // 其他所有请求都需要认证
                .anyRequest().authenticated()
            .and()
            // 配置会话管理，使用无状态会话
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        
        // 添加JWT认证过滤器
        http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        
        // 确保Spring Security不会添加额外的CharacterEncodingFilter
        // 因为我们在CharacterEncodingConfig中已经配置了自定义的过滤器
        http.addFilterBefore((request, response, chain) -> {
            // 确保响应使用UTF-8编码
            response.setCharacterEncoding("UTF-8");
            response.setContentType("text/html;charset=UTF-8");
            chain.doFilter(request, response);
        }, JwtAuthenticationFilter.class);
        
        return http.build();
    }
}