Rails.application.routes.draw do
  # Registration only allowed when no users exist
  resource :registration, only: [:new, :create]
  resource :session
  resource :password

  # OIDC authentication routes
  get "/auth/failure", to: "omniauth_callbacks#failure"
  get "/auth/:provider/callback", to: "omniauth_callbacks#oidc"

  # Admin user management (admin only)
  resources :users, only: [:index, :show, :edit, :update]

  # Define your application routes per the DSL in https://guides.rubyonrails.org/routing.html

  # Reveal health status on /up that returns 200 if the app boots with no exceptions, otherwise 500.
  # Can be used by load balancers and uptime monitors to verify that the app is live.
  get "up" => "rails/health#show", as: :rails_health_check

  # WAF API
  namespace :api, defaults: { format: :json } do
    # Event ingestion (PRIMARY method - includes rule updates in response)
    post ":project_id/events", to: "events#create"

    # Rule synchronization (SECONDARY - for admin/debugging only)
    # Note: Agents should use event responses for rule synchronization
    get ":public_key/rules/version", to: "rules#version"
    get ":public_key/rules", to: "rules#index"
  end

  # Root path - projects dashboard
  root "projects#index"

  # Project management
  resources :projects, only: [:index, :new, :create, :show, :edit, :update] do
    resources :events, only: [:index]
    member do
      get :analytics
    end
  end

  # Network range management
  resources :network_ranges, only: [:index, :show, :new, :create, :edit, :update, :destroy] do
    member do
      post :enrich
    end
    collection do
      get :lookup
      get :search
    end
  end

  # Support CIDR patterns with dots in network range routes
  get '/network_ranges/:id', to: 'network_ranges#show', constraints: { id: /[\d\.:\/_]+/ }

  # Rule management
  resources :rules, only: [:index, :new, :create, :show, :edit, :update] do
    member do
      post :disable
      post :enable
    end
  end
end