<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class AddContentSecurityPolicy
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next): Response
    {
        $response = $next($request);

        // Build CSP header
        if (app()->environment('local')) {
            // Relaxed CSP for local development with Vite
            $csp = "script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; " .
                   "style-src 'self' 'unsafe-inline' http: https:; " .
                   "connect-src 'self' ws: http: https:;";
        } else {
            // Production CSP - Livewire v3 requires unsafe-eval
            $csp = "script-src 'self' 'unsafe-eval' https:; " .
                   "style-src 'self' 'unsafe-inline' https:; " .
                   "connect-src 'self' https:;";
        }

        $response->headers->set('Content-Security-Policy', $csp);

        return $response;
    }
}