'use strict';

const config = require(__dirname+'/../config.js')
	, dynamicResponse = require(__dirname+'/dynamic.js')
	, { addCallback } = require(__dirname+'/../redis.js')

let refererCheck, allowedHosts, allowedHostSet;
const updateReferers = () => {
	({ refererCheck, allowedHosts } = config.get);
	allowedHostSet = new Set(allowedHosts);
}
updateReferers();
addCallback('config', updateReferers);


module.exports = (req, res, next) => {
	if (req.method !== 'POST') {
		return next();
	}
	let validReferer = false;
	try {
		const url = new URL(req.headers.referer);
		validReferer = allowedHostSet.has(url.hostname);
	} catch(e) {
		//referrer is invalid url
	}
	if (refererCheck === true && (!req.headers.referer || !validReferer)) {
        return dynamicResponse(req, res, 403, 'message', {
			'title': 'Forbidden',
			'message': 'Invalid or missing "Referer" header. Are you posting from the correct URL?'
		});
	}
	next();
}