export default {
  async fetch(request: Request, env: { TUNNEL_URL: string; WEBHOOK_SECRET?: string }): Promise<Response> {
    const url = new URL(request.url);

    if (url.pathname === "/health") {
      return new Response(
        JSON.stringify({ ok: true, proxy: "rc-notifications" }),
        { headers: { "Content-Type": "application/json" } },
      );
    }

    // RingCentral webhook validation handshake — must respond immediately
    const validationToken = request.headers.get("Validation-Token");
    if (validationToken) {
      return new Response(validationToken, {
        status: 200,
        headers: {
          "Validation-Token": validationToken,
          "Content-Type": "text/plain",
        },
      });
    }

    // Compute HMAC signature if secret is configured
    const body = await request.text();
    const headers = new Headers(request.headers);
    headers.set("X-Forwarded-Host", url.hostname);

    if (env.WEBHOOK_SECRET) {
      const key = await crypto.subtle.importKey(
        "raw",
        new TextEncoder().encode(env.WEBHOOK_SECRET),
        { name: "HMAC", hash: "SHA-256" },
        false,
        ["sign"],
      );
      const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(body));
      const hex = [...new Uint8Array(sig)].map((b) => b.toString(16).padStart(2, "0")).join("");
      headers.set("X-RC-Webhook-Signature", hex);
    }

    // Forward to local server
    const targetUrl = `${env.TUNNEL_URL}/api/rc-webhook`;

    try {
      const response = await fetch(targetUrl, {
        method: request.method,
        headers,
        body,
      });

      return new Response(response.body, {
        status: response.status,
        statusText: response.statusText,
        headers: response.headers,
      });
    } catch (err) {
      return new Response(
        JSON.stringify({ error: "tunnel_unreachable", message: String(err) }),
        { status: 502, headers: { "Content-Type": "application/json" } },
      );
    }
  },
};
