/**
 * VulnBank - Express Server with intentional vulnerabilities
 *
 * Vulnerabilities:
 * - TLS verification disabled
 * - CORS wildcard
 * - Insecure JWT verification
 */

const express = require('express');
const jwt = require('jsonwebtoken');
const https = require('https');

const app = express();
app.use(express.json());

// BLOCK: Hardcoded JWT secret in source code
const JWT_SECRET = 'super_secret_jwt_key_12345';

// BLOCK: CORS allows any origin
app.use((req, res, next) => {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Credentials', 'true');
  res.header('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE');
  next();
});

// VULNERABILITY: TLS verification disabled
app.get('/api/external', async (req, res) => {
  const url = req.query.url;

  // BLOCK: rejectUnauthorized: false disables TLS certificate verification
  const agent = new https.Agent({
    rejectUnauthorized: false
  });

  try {
    const fetch = require('node-fetch');
    const response = await fetch(url, { agent });
    const data = await response.json();
    res.json(data);
  } catch (error) {
    res.status(500).json({ error: error.message });
  }
});

// VULNERABILITY: JWT without algorithm verification
app.post('/api/verify', (req, res) => {
  const token = req.headers.authorization;

  try {
    // BLOCK: JWT verification without algorithm specification allows algorithm confusion
    const decoded = jwt.verify(token, JWT_SECRET);
    res.json({ valid: true, payload: decoded });
  } catch (error) {
    res.status(401).json({ valid: false, error: error.message });
  }
});

// VULNERABILITY: JWT decode without verification
app.get('/api/user-info', (req, res) => {
  const token = req.headers.authorization;

  // BLOCK: jwt.decode without verification - anyone can forge tokens
  const payload = jwt.decode(token);
  res.json(payload);
});

app.listen(3000, () => {
  console.log('VulnBank Node.js server running on port 3000');
  console.log('Run `aphoria scan` to detect vulnerabilities');
});