import type { APIRoute } from 'astro';
import { createHmac, timingSafeEqual } from 'node:crypto';

export const POST: APIRoute = async ({ request }) => {
  const webhookSecret = import.meta.env.STORYBLOK_WEBHOOK_SECRET;
  const token = import.meta.env.CLEVER_TOKEN;
  const orgaId = import.meta.env.CLEVER_ORGA_ID;
  const appId = import.meta.env.CLEVER_APP_ID_PRODUCTION;

  if (!webhookSecret || !token || !orgaId || !appId) {
    return new Response('Missing server configuration', { status: 500 });
  }

  const body = await request.text();
  const signature = request.headers.get('webhook-signature') ?? '';
  const expected = createHmac('sha1', webhookSecret).update(body).digest('hex');

  if (!timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    return new Response('Invalid signature', { status: 401 });
  }

  const response = await fetch(
    `https://api-bridge.clever-cloud.com/v2/organisations/${orgaId}/applications/${appId}/instances`,
    {
      method: 'POST',
      headers: { Authorization: `Bearer ${token}` },
    },
  );

  if (!response.ok) {
    const error = await response.text();
    return new Response(`Clever Cloud API error: ${response.status} ${error}`, { status: 502 });
  }

  return new Response('Rebuild triggered', { status: 200 });
};