#!/usr/bin/env bash
# Fetch openapi.json from a backend for codegen.
#
# Usage:
#   APP_API_KEY=... bash scripts/fetch-openapi.sh
#
# Resolution order for the source URL:
#   1. $OPENAPI_URL if set (explicit override)
#   2. $APP_URL + /api-docs/oas-3.0.0.json   (oatpp swagger default)
#   3. http://127.0.0.1:${APP_TEST_PORT:-8101}/api-docs/oas-3.0.0.json
#
# The backend's openapi endpoint is auth-gated; pass $APP_API_KEY if the
# target requires it. For local codegen against a throwaway backend started
# with --allow-plaintext and an empty users table (+ SETUP_MODE), the
# anonymous pseudo-admin bypass means the API key is not required.

set -euo pipefail

URL=${OPENAPI_URL:-${APP_URL:-http://127.0.0.1:${APP_TEST_PORT:-8101}}/api-docs/oas-3.0.0.json}

AUTH_HEADER=()
if [[ -n ${APP_API_KEY:-} ]]; then
    AUTH_HEADER=(-H "Authorization: Bearer $APP_API_KEY")
fi

OUT=${OPENAPI_OUT:-openapi.json}
echo "Fetching $URL → $OUT"
curl -fsS "${AUTH_HEADER[@]}" "$URL" -o "$OUT"

# Verify it's actually JSON with an `openapi` key — oatpp sometimes returns
# HTML on 401 which would silently land here otherwise.
python3 -c "
import json, sys
d = json.load(open('$OUT'))
assert 'openapi' in d, 'not an OpenAPI spec (missing \"openapi\" key)'
print(f\"  openapi={d['openapi']}, paths={len(d.get('paths', {}))}\")
"