"""
VulnBank - Flask Application with intentional vulnerabilities

Vulnerabilities:
- TLS verification disabled
- Hardcoded secrets
- No rate limiting
"""

import requests
from flask import Flask, request, jsonify

app = Flask(__name__)

# BLOCK: Hardcoded secret key in source code
SECRET_KEY = "my_super_secret_key_12345"
app.config['SECRET_KEY'] = SECRET_KEY


def fetch_external_data(url: str) -> dict:
    """
    VULNERABILITY: TLS certificate verification disabled
    Allows man-in-the-middle attacks
    """
    # BLOCK: verify=False disables TLS certificate verification
    response = requests.get(url, verify=False)
    return response.json()


def call_payment_api(amount: float, card_token: str) -> dict:
    """
    VULNERABILITY: No TLS verification on payment API
    Credit card data can be intercepted
    """
    # BLOCK: verify=False on payment endpoint - critical vulnerability
    response = requests.post(
        "https://payment.example.com/charge",
        json={"amount": amount, "token": card_token},
        verify=False
    )
    return response.json()


@app.route('/api/data')
def get_data():
    """No rate limiting - vulnerable to abuse"""
    # BLOCK: No rate limiting configured - API abuse possible
    url = request.args.get('url', 'https://api.example.com/data')
    return jsonify(fetch_external_data(url))


@app.route('/api/pay', methods=['POST'])
def process_payment():
    """Process payment with insecure TLS"""
    data = request.get_json()
    result = call_payment_api(data['amount'], data['card_token'])
    return jsonify(result)


if __name__ == '__main__':
    # BLOCK: Debug mode enabled in production
    app.run(debug=True, host='0.0.0.0', port=5000)