#!/bin/bash
# Auto-Rotation des DEBUG_AUTH_TOKEN-Bypass-Secrets (Phase 11b).
#
# Generiert wöchentlich ein neues Secret, schreibt es in
# /opt/gwoe-antragspruefer-dev/.env und re-creates den Container, damit
# die ENV-Änderung greift.
#
# Cron (Sonntag 04:00):
#   0 4 * * 0  /opt/gwoe-antragspruefer-dev/scripts/rotate-debug-token.sh \
#              >> /var/log/gwoe-rotate-debug.log 2>&1

set -euo pipefail

ENV_FILE="/opt/gwoe-antragspruefer-dev/.env"
COMPOSE_FILE="/opt/gwoe-antragspruefer-dev/docker-compose.dev.yml"

if [ ! -f "$ENV_FILE" ]; then
    echo "$(date -Iseconds) FAIL — $ENV_FILE not found"
    exit 1
fi

NEW_TOKEN=$(python3 -c "import secrets; print(secrets.token_urlsafe(32))")

# Bestehenden Eintrag entfernen, neuen anhängen — atomar via temp-Datei
TMP=$(mktemp)
grep -v "^DEBUG_AUTH_TOKEN=" "$ENV_FILE" > "$TMP"
echo "DEBUG_AUTH_TOKEN=$NEW_TOKEN" >> "$TMP"
mv "$TMP" "$ENV_FILE"

echo "$(date -Iseconds) ROTATED — new token written to $ENV_FILE"

# Container re-creates (compose liest .env nur beim Container-Create).
cd /opt/gwoe-antragspruefer-dev
docker compose -f "$COMPOSE_FILE" up -d --force-recreate

echo "$(date -Iseconds) END"