//go:build !slim

package httpapi

import (
	"context"
	"net/http"

	"github.com/coder/coder/v2/coderd/rbac"
)

// The x-authz-checks header can end up being >10KB in size on certain queries.
// Many HTTP clients will fail if a header or the response head as a whole is
// too long to prevent malicious responses from consuming all of the client's
// memory. I've seen reports that browsers have this limit as low as 4KB for the
// entire response head, so we limit this header to a little less than 2KB,
// ensuring there's still plenty of room for the usual smaller headers.
const maxHeaderLength = 2000

// This is defined separately in slim builds to avoid importing the rbac
// package, which is a large dependency.
func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) {
	if rec, ok := rbac.GetAuthzCheckRecorder(ctx); ok {
		// If you're here because you saw this header in a response, and you're
		// trying to investigate the code, here are a couple of notable things
		// for you to know:
		// - If any of the checks are `false`, they might not represent the whole
		//   picture. There could be additional checks that weren't performed,
		//   because processing stopped after the failure.
		// - The checks are recorded by the `authzRecorder` type, which is
		//   configured on server startup for development and testing builds.
		// - If this header is missing from a response, make sure the response is
		//   being written by calling `httpapi.Write`!
		checks := rec.String()
		if len(checks) > maxHeaderLength {
			checks = checks[:maxHeaderLength]
			checks += "<truncated>"
		}
		rw.Header().Set("x-authz-checks", checks)
	}
}