# Rate limiting zones (before server block)
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=10r/m;
# SEC-14: Registration endpoint — slightly more permissive than strict auth endpoints
limit_req_zone $binary_remote_addr zone=register_limit:10m rate=5r/m;
# Admin API — generous for legitimate use but still guards against scraping/brute-force
limit_req_zone $binary_remote_addr zone=admin_limit:10m rate=30r/m;
# Calendar sharing endpoints
limit_req_zone $binary_remote_addr zone=cal_invite_limit:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=cal_sync_limit:10m rate=15r/m;
# Connection endpoints — prevent search enumeration and request spam
limit_req_zone $binary_remote_addr zone=conn_search_limit:10m rate=10r/m;
limit_req_zone $binary_remote_addr zone=conn_request_limit:10m rate=3r/m;

# Use X-Forwarded-Proto from upstream proxy when present, fall back to $scheme for direct access
map $http_x_forwarded_proto $forwarded_proto {
    default $scheme;
    https   https;
    http    http;
}

server {
    listen 8080;
    server_name localhost;
    root /usr/share/nginx/html;
    index index.html;

    # Suppress nginx version in Server header
    server_tokens off;

    # ── Real client IP restoration (PT-01) ────────────────────────────
    # Pangolin (TLS-terminating reverse proxy) connects via Docker bridge.
    # Restore the real client IP from X-Forwarded-For so that limit_req_zone
    # (which keys on $binary_remote_addr) throttles per-client, not per-proxy.
    # Safe to trust all sources: nginx is only reachable via Docker networking,
    # never directly internet-facing. Tighten if deployment model changes.
    set_real_ip_from 0.0.0.0/0;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/javascript application/json;

    # Block dotfiles (except .well-known for ACME/Let's Encrypt) (PT-04)
    location ~ /\.(?!well-known) {
        default_type application/json;
        return 404 '{"detail":"Not Found"}';
    }

    # Rate-limited auth endpoints (keep in sync with proxy-params.conf)
    location /api/auth/login {
        limit_req zone=auth_limit burst=5 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    location /api/auth/verify-password {
        limit_req zone=auth_limit burst=5 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    location /api/auth/totp-verify {
        limit_req zone=auth_limit burst=5 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    location /api/auth/change-password {
        limit_req zone=auth_limit burst=5 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    location /api/auth/setup {
        # Tighter burst: setup is one-time-only, 3 attempts is sufficient
        limit_req zone=auth_limit burst=3 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    # SEC-14: Rate-limit public registration endpoint
    location /api/auth/register {
        limit_req zone=register_limit burst=3 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    # Connection search — rate-limited to prevent user enumeration
    location /api/connections/search {
        limit_req zone=conn_search_limit burst=5 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    # Connection request (send) — exact match to avoid catching /requests/*
    location = /api/connections/request {
        limit_req zone=conn_request_limit burst=3 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    # Calendar invite — rate-limited to prevent invite spam
    location ~ /api/shared-calendars/\d+/invite {
        limit_req zone=cal_invite_limit burst=3 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    # Calendar sync — rate-limited to prevent excessive polling
    location /api/shared-calendars/sync {
        limit_req zone=cal_sync_limit burst=5 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }
    # Admin API — rate-limited separately from general /api traffic
    location /api/admin/ {
        limit_req zone=admin_limit burst=10 nodelay;
        limit_req_status 429;
        include /etc/nginx/proxy-params.conf;
    }

    # API proxy
    location /api {
        proxy_pass http://backend:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $forwarded_proto;
        proxy_cache_bypass $http_upgrade;

        # PT-L01: Prevent browser caching of authenticated API responses
        add_header Cache-Control "no-store, no-cache, must-revalidate" always;
        # Security headers (must be repeated — nginx add_header in a location block
        # overrides server-level add_header directives, so all headers must be explicit)
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self';" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
    }

    # SPA fallback - serve index.html for all routes
    location / {
        try_files $uri $uri/ /index.html;
    }

    # Cache static assets
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self';" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    }

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self';" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # PT-I03: Restrict unnecessary browser APIs
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
}