#!/usr/bin/env bash
# Generate a self-signed certificate for local HTTPS development.
# EVE SSO requires HTTPS for the callback URL.
#
# Usage: ./scripts/generate-cert.sh
#
# This creates:
#   certs/localhost-key.pem  — Private key
#   certs/localhost.pem      — Self-signed certificate
#
# The cert is valid for 365 days and covers localhost + 127.0.0.1.

set -euo pipefail

CERT_DIR="certs"
mkdir -p "$CERT_DIR"

echo "Generating self-signed certificate for localhost..."

openssl req -x509 \
  -newkey rsa:2048 \
  -keyout "$CERT_DIR/localhost-key.pem" \
  -out "$CERT_DIR/localhost.pem" \
  -days 365 \
  -nodes \
  -subj "/CN=localhost" \
  -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"

echo ""
echo "Certificate generated:"
echo "  Key:  $CERT_DIR/localhost-key.pem"
echo "  Cert: $CERT_DIR/localhost.pem"
echo ""
echo "To trust this certificate on macOS:"
echo "  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $CERT_DIR/localhost.pem"
echo ""
echo "To trust on Windows (PowerShell as Admin):"
echo '  Import-Certificate -FilePath "certs\localhost.pem" -CertStoreLocation Cert:\LocalMachine\Root'
echo ""
echo "Then run: npm run dev:https"