#!/bin/bash

echo "🛡️ Fix: Safari Sicherheitswarnungen"
echo "=================================="

# 1. .env HTTPS-Einstellungen
echo "1. 🔒 HTTPS-Einstellungen in .env..."
if [ -f .env ]; then
    # Setze alle HTTPS-Einstellungen
    sed -i 's|APP_URL=.*|APP_URL=https://neonail.vogt.de.com|' .env
    sed -i 's/APP_DEBUG=false/APP_DEBUG=true/' .env
    sed -i 's/APP_ENV=production/APP_ENV=local/' .env
    
    # HTTPS-spezifische Einstellungen
    echo "FORCE_HTTPS=true" >> .env
    echo "SECURE_COOKIES=true" >> .env
    echo "SESSION_SECURE_COOKIE=true" >> .env
    echo "SESSION_SAME_SITE=lax" >> .env
    echo "SESSION_HTTP_ONLY=true" >> .env
    
    echo "   ✅ .env HTTPS-Einstellungen aktualisiert"
else
    echo "   ❌ .env Datei nicht gefunden"
fi

# 2. Session-Konfiguration
echo "2. 🍪 Session-Konfiguration..."
if [ -f config/session.php ]; then
    sed -i "s/'secure' => false/'secure' => true/" config/session.php
    sed -i "s/'http_only' => false/'http_only' => true/" config/session.php
    echo "   ✅ Session-Konfiguration aktualisiert"
else
    echo "   ❌ config/session.php nicht gefunden"
fi

# 3. CSRF-Konfiguration
echo "3. 🔐 CSRF-Konfiguration..."
if [ -f config/csrf.php ]; then
    sed -i "s/'secure' => false/'secure' => true/" config/csrf.php
    sed -i "s/'same_site' => 'lax'/'same_site' => 'lax'/" config/csrf.php
    echo "   ✅ CSRF-Konfiguration aktualisiert"
else
    echo "   ❌ config/csrf.php nicht gefunden"
fi

# 4. .htaccess HTTPS-Headers
echo "4. 🌐 .htaccess HTTPS-Headers..."
if [ -f public/.htaccess ]; then
    # Füge HTTPS-Headers hinzu
    if ! grep -q "Strict-Transport-Security" public/.htaccess; then
        sed -i '/# Security Headers/a\
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"\
Header always set Content-Security-Policy "upgrade-insecure-requests"' public/.htaccess
    fi
    
    # Force HTTPS
    if ! grep -q "RewriteCond %{HTTPS} off" public/.htaccess; then
        sed -i '/RewriteEngine On/a\
RewriteCond %{HTTPS} off\
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]' public/.htaccess
    fi
    
    echo "   ✅ .htaccess HTTPS-Headers aktualisiert"
else
    echo "   ❌ public/.htaccess nicht gefunden"
fi

# 5. AppServiceProvider HTTPS-Force
echo "5. 🔧 AppServiceProvider HTTPS-Force..."
if [ -f app/Providers/AppServiceProvider.php ]; then
    if ! grep -q "URL::forceScheme('https')" app/Providers/AppServiceProvider.php; then
        sed -i "/public function boot(): void/a\\
        if (config('app.env') === 'production') {\\
            URL::forceScheme('https');\\
        }" app/Providers/AppServiceProvider.php
    fi
    echo "   ✅ AppServiceProvider HTTPS-Force aktualisiert"
else
    echo "   ❌ AppServiceProvider nicht gefunden"
fi

# 6. Laravel Cache leeren
echo "6. 🧹 Laravel Cache leeren..."
php artisan cache:clear 2>/dev/null || echo "   ⚠️ cache:clear übersprungen"
php artisan config:clear 2>/dev/null || echo "   ⚠️ config:clear übersprungen"
php artisan route:clear 2>/dev/null || echo "   ⚠️ route:clear übersprungen"
php artisan view:clear 2>/dev/null || echo "   ⚠️ view:clear übersprungen"

# 7. Test-Script erstellen
echo "7. 🧪 Test-Script erstellen..."
cat > test-https-security.php << 'EOF'
<?php
// Test der HTTPS-Sicherheit
echo "🔒 HTTPS-Sicherheit Test\n";
echo "======================\n\n";

// 1. Prüfe .env Einstellungen
echo "1. .env Einstellungen:\n";
$envVars = ['APP_URL', 'FORCE_HTTPS', 'SECURE_COOKIES', 'SESSION_SECURE_COOKIE'];
foreach ($envVars as $var) {
    $value = getenv($var) ?: 'nicht gesetzt';
    echo "   - $var: $value\n";
}

// 2. Prüfe Session-Konfiguration
echo "\n2. Session-Konfiguration:\n";
if (file_exists('config/session.php')) {
    $content = file_get_contents('config/session.php');
    if (strpos($content, "'secure' => true") !== false) {
        echo "   ✅ Session secure: true\n";
    } else {
        echo "   ❌ Session secure: false\n";
    }
    if (strpos($content, "'http_only' => true") !== false) {
        echo "   ✅ Session http_only: true\n";
    } else {
        echo "   ❌ Session http_only: false\n";
    }
}

// 3. Prüfe CSRF-Konfiguration
echo "\n3. CSRF-Konfiguration:\n";
if (file_exists('config/csrf.php')) {
    $content = file_get_contents('config/csrf.php');
    if (strpos($content, "'secure' => true") !== false) {
        echo "   ✅ CSRF secure: true\n";
    } else {
        echo "   ❌ CSRF secure: false\n";
    }
}

// 4. Prüfe .htaccess
echo "\n4. .htaccess HTTPS-Headers:\n";
if (file_exists('public/.htaccess')) {
    $content = file_get_contents('public/.htaccess');
    if (strpos($content, 'Strict-Transport-Security') !== false) {
        echo "   ✅ HSTS Header vorhanden\n";
    } else {
        echo "   ❌ HSTS Header fehlt\n";
    }
    if (strpos($content, 'upgrade-insecure-requests') !== false) {
        echo "   ✅ CSP upgrade-insecure-requests vorhanden\n";
    } else {
        echo "   ❌ CSP upgrade-insecure-requests fehlt\n";
    }
}

echo "\n✅ HTTPS-Sicherheit Test abgeschlossen!\n";
echo "🔗 Testen Sie jetzt: https://neonail.vogt.de.com/admin/users\n";
?>
EOF

echo "   ✅ Test-Script erstellt"

echo ""
echo "✅ Safari Sicherheitswarnungen behoben!"
echo ""
echo "🔗 Testen Sie jetzt:"
echo "1. Admin-Panel: https://neonail.vogt.de.com/admin/users"
echo "2. Lack löschen im Admin-Panel"
echo "3. User bearbeiten/löschen"
echo ""
echo "📝 Falls Warnungen bestehen:"
echo "- Führen Sie php test-https-security.php aus"
echo "- Prüfen Sie Browser-Entwicklertools (F12)"
echo "- Leeren Sie Browser-Cache"