'use strict';

const rateLimit = require('express-rate-limit');

function makeLimiter(max, windowMs, message) {
  return rateLimit({
    windowMs,
    max,
    standardHeaders: 'draft-7',
    legacyHeaders: false,
    // Override default handler so the response is always JSON, not HTML
    handler(req, res) {
      res.status(429).json({ error: message });
    },
  });
}

// 10 login attempts per 15 minutes per IP — brute-force protection
const loginLimiter = makeLimiter(
  10, 15 * 60 * 1000,
  'Too many login attempts. Please try again in 15 minutes.',
);

// 5 password-change attempts per 15 minutes per IP
const passwordLimiter = makeLimiter(
  5, 15 * 60 * 1000,
  'Too many password change attempts. Please try again in 15 minutes.',
);

// 20 import preview/apply requests per 15 minutes per IP
const importLimiter = makeLimiter(
  20, 15 * 60 * 1000,
  'Too many import requests. Please try again in 15 minutes.',
);

// 30 export requests per 15 minutes per IP
const exportLimiter = makeLimiter(
  30, 15 * 60 * 1000,
  'Too many export requests. Please try again in 15 minutes.',
);

// 30 admin mutation actions per 15 minutes per IP (backup/restore/cleanup)
const adminActionLimiter = makeLimiter(
  30, 15 * 60 * 1000,
  'Too many admin actions. Please try again in 15 minutes.',
);

// 20 OIDC login/callback requests per 15 minutes per IP
const oidcLimiter = makeLimiter(
  20, 15 * 60 * 1000,
  'Too many authentication requests. Please try again in 15 minutes.',
);

module.exports = {
  loginLimiter,
  passwordLimiter,
  importLimiter,
  exportLimiter,
  adminActionLimiter,
  oidcLimiter,
};