// Package xffecho adapts [xff.TrustedProxies] for use with the Echo web
// framework's X-Forwarded-For IP extraction.
//
// # Usage
//
//	tp, err := fastlyxff.New("fastly.json")
//	if err != nil {
//		return err
//	}
//	trustOpts := xffecho.TrustOptions(tp)
//	e.IPExtractor = echo.ExtractIPFromXFFHeader(trustOpts...)
package xffecho

import (
	"net"
	"net/netip"

	"github.com/labstack/echo/v4"

	"go.ntppool.org/common/xff"
)

// TrustOptions converts a [xff.TrustedProxies] into Echo trust options
// for use with [echo.ExtractIPFromXFFHeader].
func TrustOptions(tp *xff.TrustedProxies) []echo.TrustOption {
	prefixes := tp.Prefixes()
	opts := make([]echo.TrustOption, 0, len(prefixes))
	for _, p := range prefixes {
		opts = append(opts, echo.TrustIPRange(prefixToIPNet(p)))
	}
	return opts
}

// prefixToIPNet bridges netip.Prefix (used by xff) to net.IPNet (used by Echo).
func prefixToIPNet(p netip.Prefix) *net.IPNet {
	addr := p.Masked().Addr()
	bits := p.Bits()

	ipLen := 128
	if addr.Is4() {
		ipLen = 32
	}

	return &net.IPNet{
		IP:   net.IP(addr.AsSlice()),
		Mask: net.CIDRMask(bits, ipLen),
	}
}