#!/bin/sh
set -eu

# Never run with TLS verification disabled
if [ "${NODE_TLS_REJECT_UNAUTHORIZED:-}" = "0" ]; then
  unset NODE_TLS_REJECT_UNAUTHORIZED
fi

# No proxy envs
unset HTTPS_PROXY HTTP_PROXY ALL_PROXY NO_PROXY || true

# Diagnostics tools
apk add --no-cache ca-certificates openssl curl bind-tools >/dev/null 2>&1 || true
update-ca-certificates >/dev/null 2>&1 || true

WORKER_HOST="fb-proxy.esafux.workers.dev"

echo "===== Application Startup at $(date -u '+%Y-%m-%d %H:%M:%S') ====="
echo "== NODE_OPTIONS =="; echo "${NODE_OPTIONS:-}" || true

echo "== DNS before =="
cat /etc/resolv.conf || true

resolve_host() {
  getent hosts "$1" >/dev/null 2>&1
}

# If HF resolver can't resolve the Worker host, switch to public DNS
if ! resolve_host "$WORKER_HOST"; then
  echo "== DNS fallback: cannot resolve $WORKER_HOST with HF DNS =="
  if [ -w /etc/resolv.conf ]; then
    cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
    printf "nameserver 1.1.1.1\nnameserver 8.8.8.8\noptions timeout:2 attempts:2\n" > /etc/resolv.conf || true
  fi
fi

echo "== DNS after =="
cat /etc/resolv.conf || true

echo "== DNS check (worker) =="
getent hosts "$WORKER_HOST" || true
dig +short A "$WORKER_HOST" || true
dig +short AAAA "$WORKER_HOST" || true

echo "== HTTPS probe (worker) =="
curl -sS -o /dev/null -w "worker:%{http_code}\n" "https://$WORKER_HOST/fb/v23.0/me?fields=id,name" || true

echo "Initializing n8n process"
exec su-exec node "$@"