import { isIP } from 'node:net';

const MAX_UNSIGNED_INT32 = 0xffffffff;

function parseIpv4(ip: string): number[] | null {
    const parts = ip.split('.');
    if (parts.length !== 4) {
        return null;
    }

    const values: number[] = [];
    for (const part of parts) {
        if (!/^\d+$/.test(part)) {
            return null;
        }
        const value = Number(part);
        if (!Number.isInteger(value) || value < 0 || value > 255) {
            return null;
        }
        values.push(value);
    }

    return values;
}

function parseIntegerIpv4Literal(hostname: string): string | null {
    if (!/^\d+$/.test(hostname)) {
        return null;
    }
    const value = Number(hostname);
    if (!Number.isInteger(value) || value < 0 || value > MAX_UNSIGNED_INT32) {
        return null;
    }

    const a = (value >>> 24) & 255;
    const b = (value >>> 16) & 255;
    const c = (value >>> 8) & 255;
    const d = value & 255;
    return `${a}.${b}.${c}.${d}`;
}

function isPrivateIpv4(ip: string): boolean {
    const parts = parseIpv4(ip);
    if (!parts) {
        return false;
    }

    const [a, b] = parts;
    return (
        a === 10 ||
        a === 127 ||
        a === 0 ||
        (a === 100 && b >= 64 && b <= 127) ||
        (a === 169 && b === 254) ||
        (a === 172 && b >= 16 && b <= 31) ||
        (a === 192 && b === 168) ||
        (a === 198 && (b === 18 || b === 19))
    );
}

function isPrivateIpv6(ip: string): boolean {
    const normalized = ip.toLowerCase();

    if (normalized === '::1' || normalized === '::') {
        return true;
    }

    if (normalized.startsWith('::ffff:')) {
        const mapped = normalized.slice('::ffff:'.length);
        return isPrivateIpv4(mapped);
    }

    if (/^(fc|fd)/.test(normalized)) {
        return true;
    }

    if (/^fe[89ab]/.test(normalized)) {
        return true;
    }

    return false;
}

function isPrivateOrLocalIp(ip: string): boolean {
    const version = isIP(ip);
    if (version === 4) {
        return isPrivateIpv4(ip);
    }
    if (version === 6) {
        return isPrivateIpv6(ip);
    }
    return false;
}

export function isPrivateOrLocalHostname(hostname: string): boolean {
    const host = hostname.trim().toLowerCase();
    if (!host) {
        return true;
    }

    if (host === 'localhost' || host.endsWith('.localhost')) {
        return true;
    }

    if (host === 'metadata.google.internal' || host === 'metadata.azure.internal') {
        return true;
    }

    const integerIp = parseIntegerIpv4Literal(host);
    if (integerIp && isPrivateIpv4(integerIp)) {
        return true;
    }

    if (isPrivateOrLocalIp(host)) {
        return true;
    }

    return false;
}

export function isPublicHttpUrl(url: string): boolean {
    try {
        const parsed = new URL(url);
        if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
            return false;
        }
        return !isPrivateOrLocalHostname(parsed.hostname);
    } catch {
        return false;
    }
}

export function assertPublicHttpUrl(url: string | URL, label: string = 'URL'): void {
    const parsed = typeof url === 'string' ? new URL(url) : url;
    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
        throw new Error(`${label} must use HTTP or HTTPS`);
    }
    if (isPrivateOrLocalHostname(parsed.hostname)) {
        throw new Error(`${label} points to a private or local network target, which is not allowed`);
    }
}