"""Webhook-Empfänger für hightrusted CAPTURE — minimaler Flask-Server.

Voraussetzung:
    pip install hightrusted-capture flask

Lauf:
    export HIGHTRUSTED_WEBHOOK_SECRET=wh_secret_...
    python examples/webhook_receiver.py

Capture mit Webhook anlegen:
    client.capture_webhook(
        url="https://example.com",
        webhook_url="https://your-domain.tld/webhooks/capture",
        reference="case-001",
    )
"""

import json
import os

from flask import Flask, request

from hightrusted_capture import verify_webhook_signature

WEBHOOK_SECRET = os.environ["HIGHTRUSTED_WEBHOOK_SECRET"]

app = Flask(__name__)


@app.post("/webhooks/capture")
def capture_webhook():
    body = request.get_data()  # raw bytes — wichtig für HMAC!
    signature = request.headers.get("X-Hightrusted-Signature", "")

    if not verify_webhook_signature(body, signature, WEBHOOK_SECRET):
        app.logger.warning("Webhook signature mismatch")
        return {"error": "invalid_signature"}, 401

    payload = json.loads(body)
    event = payload["event"]
    capture = payload["capture"]

    if event == "capture.ready":
        capture_id = capture["id"]
        verify_url = capture["verify_url"]
        reference = capture.get("reference", "")
        app.logger.info(
            "Capture %s ready (ref=%s, verify=%s)",
            capture_id, reference, verify_url,
        )
        # → hier: PDF herunterladen, ins Archiv legen, Mandant benachrichtigen, ...

    elif event == "capture.failed":
        app.logger.error("Capture failed: %s", payload.get("error"))

    return {"ok": True}, 200


if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8000)