# Base controller for the application
# Provides common functionality and security configurations for all controllers
class ApplicationController < ActionController::Base
  # Protect against Cross-Site Request Forgery (CSRF) attacks
  # Ensures that all non-GET requests include a valid authenticity token
  protect_from_forgery with: :exception

  # Redirect authenticated users to onboarding if not completed
  before_action :require_onboarding_completion

  # Restrict access to modern browsers only
  # Requires browsers to support modern web standards:
  # - WebP images for better compression
  # - Web Push notifications
  # - Badge API for notifications
  # - Import maps for JavaScript modules
  # - CSS nesting and :has() pseudo-class
  # allow_browser versions: :modern
  # allow_browser versions: { safari: 16.4, firefox: 121, ie: false }

  private

  def require_onboarding_completion
    # Skip onboarding check for these paths
    return if skip_onboarding_check?

    # Only apply to signed-in users
    if user_signed_in? && current_user.needs_onboarding?
      redirect_to onboarding_path unless request.path == onboarding_path
    end
  end

  def skip_onboarding_check?
    # Skip for devise controllers (login, signup, password reset, etc.)
    devise_controller? ||
    # Skip for onboarding controller itself
    controller_name == "onboarding" ||
    # Skip for API endpoints
    controller_name.start_with?("api/") ||
    # Skip for health checks
    controller_name == "rails/health"
  end
end