#!/usr/bin/env sh
# shellcheck disable=SC2034

# DNS provider information for acme.sh
dns_mgwm_info='MGW-MEDIA.DE
Site: mgw-media.de
Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_mgwm
Options:
 MGWM_CUSTOMER Your customer number (username for Basic Auth).
 MGWM_API_HASH Your API Hash (password for Basic Auth).
Issues: github.com/acmesh-official/acme.sh
Author: (Your Name or generated by AI)
'

# Base endpoint for the MGW-MEDIA.DE API (parameters will be added as query strings)
MGWM_API_ENDPOINT="https://ipv4.api.mgw-media.de/record"

########  Public functions #####################
# This function is called by acme.sh to add a TXT record.
dns_mgwm_add() {
  fulldomain=$1
  txtvalue=$2

  _info "Using mgw-media.de DNS API for domain $fulldomain"
  _debug "fulldomain: $fulldomain"
  _debug "txtvalue: $txtvalue"

  # Load credentials from environment or acme.sh config
  MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}"
  MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}"

  # Check if credentials are set
  if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then
    _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH."
    _err "Please check these environment variables and try again."
    return 1
  fi

  # Save credentials for automatic renewal and future calls
  _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER"
  _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH"

  # Create the Basic Auth Header directly in this function's scope
  _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)"
  # Export _H1 so _get function can pick it up
  export _H1="Authorization: Basic $_credentials"
  _debug "Set Authorization Header: Basic <credentials_encoded>" # Log debug message without sensitive credentials

  # Construct the API URL for adding a record with query parameters
  _add_url="${MGWM_API_ENDPOINT}.php?action=add&fulldomain=${fulldomain}&type=txt&content=${txtvalue}"
  _debug "Calling MGWM ADD URL: ${_add_url}"

  # Execute the HTTP GET request with the Authorization Header (_H1)
  # The 5th parameter of _get is where acme.sh expects custom HTTP headers like Authorization.
  response="$(_get "" "$_add_url" "" "GET" "$_H1")"
  _debug "MGWM add response: $response"

  # Check the API response for success. The API returns "OK" on success.
  if [ "$response" = "OK" ]; then
      _info "TXT record for $fulldomain successfully added via MGWM API."
      _sleep 10 # Wait briefly for DNS propagation, a common practice in DNS-01 hooks.
      return 0
  else
      _err "mgwm_add: Failed to add TXT record for $fulldomain. Unexpected API Response: '$response'"
      return 1
  fi
}

# This function is called by acme.sh to remove a TXT record after validation.
dns_mgwm_rm() {
  fulldomain=$1
  txtvalue=$2 # This value is not used by the RM API in this case.

  _info "Removing TXT record for $fulldomain using mgw-media.de DNS API"
  _debug "fulldomain: $fulldomain"
  _debug "txtvalue: $txtvalue" # Still logging for completeness, but not used in URL

  # Load credentials from environment or acme.sh config
  MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}"
  MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}"

  # Check if credentials are set
  if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then
    _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH."
    _err "Please check these environment variables and try again."
    return 1
  fi

  # Save credentials (important for future renewals if not saved by add function)
  _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER"
  _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH"

  # Create the Basic Auth Header directly in this function's scope
  _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)"
  # Export _H1 so _get function can pick it up
  export _H1="Authorization: Basic $_credentials"
  _debug "Set Authorization Header: Basic <credentials_encoded>" # Log debug message without sensitive credentials

  # Construct the API URL for removing a record with query parameters
  # The RM API from mgw-media.de does not expect a 'content' parameter.
  _rm_url="${MGWM_API_ENDPOINT}.php?action=rm&fulldomain=${fulldomain}&type=txt"
  _debug "Calling MGWM RM URL: ${_rm_url}"

  # Execute the HTTP GET request with the Authorization Header (_H1)
  response="$(_get "" "$_rm_url" "" "GET" "$_H1")"
  _debug "MGWM rm response: $response"

  # Check the API response for success. The API returns "OK" on success.
  if [ "$response" = "OK" ]; then
      _info "TXT record for $fulldomain successfully removed via MGWM API."
      return 0
  else
      _err "mgwm_rm: Failed to remove TXT record for $fulldomain. Unexpected API Response: '$response'"
      return 1
  fi
}

####################  Private functions below ##################################
# The _mgwm_init_env function has been inlined into dns_mgwm_add and dns_mgwm_rm
# to ensure credentials and the Authorization header are set correctly within
# each function's sub-shell context.