worker_processes 1;
events { worker_connections 1024; }

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    
    server {
        listen 8000;
        server_name localhost;

        root /usr/share/nginx/html;
        index index.html;

        # Custom error pages
        error_page 403 /403/;
        error_page 404 /404/;

        location / {
            auth_request /authz;
            error_page 401 = @login; # If not authed, redirect to login page
            error_page 403 = @forbidden; # If forbidden, show custom 403 page

            # Disable all caching for demo purposes
            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
            add_header Pragma "no-cache";
            add_header Expires "Thu, 01 Jan 1970 00:00:00 GMT";

            try_files $uri $uri/ @not_found;
        }
        location = /authz {
            internal;
            proxy_pass http://127.0.0.1:5115/authz;
            proxy_set_header X-Original-URI $request_uri;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
        }
        location @login {
            add_header Content-Type text/html;
            return 302 http://localhost:8000/login/;
        }
        location /me {
            auth_request /authz;
            error_page 401 = @login; # If not authed, redirect to login page
            error_page 403 = @forbidden; # If forbidden, show custom 403 page

            # Disable all caching for demo purposes
            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
            add_header Pragma "no-cache";
            add_header Expires "Thu, 01 Jan 1970 00:00:00 GMT";

            proxy_pass http://localhost:5115/me;
        }

        location @forbidden {
            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
            add_header Pragma "no-cache";
            add_header Expires "Thu, 01 Jan 1970 00:00:00 GMT";
            rewrite ^.*$ /403/ last;
        }



        location @not_found {
            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
            add_header Pragma "no-cache";
            add_header Expires "Thu, 01 Jan 1970 00:00:00 GMT";
            return 404;
        }

        # Login page is public
        location /login/ {
            # Disable caching for login page too
            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
            add_header Pragma "no-cache";
            add_header Expires "Thu, 01 Jan 1970 00:00:00 GMT";
            
            try_files $uri $uri/index.html =404;
        }

        # Custom error pages are public and shouldn't be cached
        location ~ ^/(403|404)/$ {
            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
            add_header Pragma "no-cache";
            add_header Expires "Thu, 01 Jan 1970 00:00:00 GMT";
            try_files $uri $uri/index.html =404;
        }
        # Handle /login - GET goes to page, POST goes to FastAPI
        location = /login {
            if ($request_method = GET) {
                return 302 /login/;
            }
            # POST requests go to FastAPI
            proxy_pass http://127.0.0.1:5115/login;
            proxy_set_header Content-Type $content_type;
            proxy_pass_request_body on;
        }
        location /logout {
            proxy_pass http://127.0.0.1:5115/logout;
            
            # Ensure logout response isn't cached
            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
            add_header Pragma "no-cache";
        }
    }
}