import { getProtectedDevice } from "../../../db/protectedDevices";
import {
  generateMacOSDnsProfile,
  labelToSlug,
} from "../../../utils/mobileconfig";

/**
 * GET /api/devices/:id/profile.mobileconfig
 *
 * PUBLIC — der Mac muss ohne Auth-Header zugreifen können.
 * Der dnsToken im Profil IST die Device-Authentifizierung beim DoH-Server.
 *
 * Liefert ein macOS DNS-Over-HTTPS Konfigurationsprofil.
 * Content-Type: application/x-apple-aspen-config
 */
export default defineEventHandler(async (event) => {
  const id = getRouterParam(event, "id");
  if (!id) throw createError({ statusCode: 400, data: { error: "ID_REQUIRED" } });

  const device = await getProtectedDevice(id);

  if (!device || device.status === "revoked") {
    throw createError({ statusCode: 404, data: { error: "DEVICE_NOT_FOUND" } });
  }

  const plist = generateMacOSDnsProfile({
    deviceId: device.id,
    dnsToken: device.dnsToken,
    label: device.label,
  });

  const slug = labelToSlug(device.label);
  const filename = `rebreak-${slug || "schutz"}.mobileconfig`;

  setHeader(event, "Content-Type", "application/x-apple-aspen-config");
  setHeader(
    event,
    "Content-Disposition",
    `attachment; filename="${filename}"`,
  );
  // Kein Caching — Token ist sensitiv
  setHeader(event, "Cache-Control", "no-store");

  return plist;
});