# Default server — local development fallback
# Routes by path when not using subdomain-based routing
server {
    listen 80 default_server;
    server_name localhost _;
    add_header X-Frame-Options "SAMEORIGIN" always;

    # Auth check iframe — allows cross-origin login state detection (MkDocs header)
    location = /auth-check.html {
        add_header Content-Security-Policy "frame-ancestors 'self' http://localhost:* http://127.0.0.1:*" always;
        set $upstream_admin_authcheck http://changemaker-v2-admin:3000;
        proxy_pass $upstream_admin_authcheck;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    # Social media bot detection for OG meta tags
    set $is_bot 0;
    if ($http_user_agent ~* "(Twitterbot|facebookexternalhit|LinkedInBot|Slackbot|TelegramBot|WhatsApp|Discordbot|Googlebot|bingbot|Pinterest|Embedly|Quora Link Preview|Showyoubot|outbrain|vkShare|W3C_Validator)") {
        set $is_bot 1;
    }

    # Bot-specific rewrites for rich social previews
    location ~ ^/campaign/([^/]+)$ {
        if ($is_bot) {
            rewrite ^/campaign/(.+)$ /api/og/campaign/$1 last;
        }
        set $upstream_admin http://changemaker-v2-admin:3000;
        proxy_pass $upstream_admin;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location ~ ^/p/([^/]+)$ {
        if ($is_bot) {
            rewrite ^/p/(.+)$ /api/og/page/$1 last;
        }
        set $upstream_admin http://changemaker-v2-admin:3000;
        proxy_pass $upstream_admin;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location ~ ^/gallery/watch/([^/]+)$ {
        if ($is_bot) {
            rewrite ^/gallery/watch/(.+)$ /api/og/gallery/$1 last;
        }
        set $upstream_admin http://changemaker-v2-admin:3000;
        proxy_pass $upstream_admin;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # Admin GUI (default)
    location / {
        set $upstream_admin http://changemaker-v2-admin:3000;
        proxy_pass $upstream_admin;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # Media API (direct path - used by admin GUI media-api.ts client)
    # Rewrites /media/* to /api/* (matches Vite dev proxy behavior)
    # Uses variable proxy_pass for runtime DNS resolution after container restarts
    location /media/ {
        set $upstream_media_default http://changemaker-media-api:4100;
        rewrite ^/media/(.*) /api/$1 break;
        proxy_pass $upstream_media_default;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Large upload support
        client_max_body_size 10G;
        proxy_read_timeout 3600s;
        proxy_connect_timeout 75s;
        proxy_request_buffering off;

        # WebSocket support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # Media API (must come BEFORE /api/ for longest prefix match)
    location /api/media/ {
        set $upstream_media http://changemaker-media-api:4100;
        proxy_pass $upstream_media;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Large upload support
        client_max_body_size 10G;
        proxy_read_timeout 3600s;
        proxy_connect_timeout 75s;
        proxy_request_buffering off;

        # WebSocket support for future features
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # API (Express) — includes WebSocket upgrade for docs collaboration
    location /api/ {
        set $upstream_api http://changemaker-v2-api:4000;
        proxy_pass $upstream_api;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support (docs collaboration via Hocuspocus)
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}