package dav

import (
	"net/http"
	"net/url"
	"strings"
	"time"
)

// NewHTTPClient uses Go's default TLS validation; cert correctness is the
// dedicated TLS checker's job, not ours.
func NewHTTPClient(timeout time.Duration) *http.Client {
	return &http.Client{
		Timeout: timeout,
	}
}

// basicAuthRoundTripper scopes Basic auth to a single host, so a redirect
// to a different host won't leak credentials to a third party. Matches
// curl's behaviour without --location-trusted.
type basicAuthRoundTripper struct {
	user, pass string
	host       string
	next       http.RoundTripper
}

func (b *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
	if strings.EqualFold(req.URL.Host, b.host) {
		req.SetBasicAuth(b.user, b.pass)
	}
	return b.next.RoundTrip(req)
}

// WithBasicAuth attaches credentials scoped to the host of contextURL.
func WithBasicAuth(c *http.Client, contextURL, user, pass string) *http.Client {
	nc := *c
	base := c.Transport
	if base == nil {
		base = http.DefaultTransport
	}
	host := ""
	if u, err := url.Parse(contextURL); err == nil {
		host = u.Host
	}
	nc.Transport = &basicAuthRoundTripper{user: user, pass: pass, host: host, next: base}
	return &nc
}