addEventListener("fetch", event => {
  event.respondWith(handleRequest(event.request));
});

async function handleRequest(request) {
  const url = new URL(request.url);

  // ── POST /login → imposta cookie server-side
  if (request.method === "POST" && url.pathname === "/login") {
    const body = await request.json();

    if (body.pin === "1234") {
      const html = JSON.stringify({ ok: true });
      return new Response(html, {
        headers: {
          "Content-Type": "application/json",
          // 🔑 Cookie HttpOnly impostato dal SERVER — iOS lo rispetta come prima parte
          "Set-Cookie": "sessione=attiva; Path=/; Max-Age=2592000; HttpOnly; SameSite=Lax"
        }
      });
    }

    return new Response(JSON.stringify({ ok: false }), {
      headers: { "Content-Type": "application/json" }
    });
  }

  // ── GET / → controlla se il cookie esiste già
  const cookie = request.headers.get("Cookie") || "";
  const loggato = cookie.includes("sessione=attiva");

  const html = `<!DOCTYPE html>
<html lang="it">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
  <meta name="apple-mobile-web-app-capable" content="yes">
  <meta name="apple-mobile-web-app-status-bar-style" content="default">
  <meta name="apple-mobile-web-app-title" content="TestPWA">
  <title>TestPWA</title>
  <style>
    * { box-sizing: border-box; margin: 0; padding: 0; }
    body {
      font-family: -apple-system, sans-serif;
      display: flex; align-items: center; justify-content: center;
      min-height: 100vh; background: #f5f5f5;
    }
    .box {
      background: white; border-radius: 16px;
      padding: 40px 32px; text-align: center;
      box-shadow: 0 4px 20px rgba(0,0,0,0.1);
      width: 300px;
    }
    h2 { margin-bottom: 8px; color: #1976d2; }
    p  { color: #666; font-size: 14px; margin-bottom: 24px; }
    .pin-row { display: flex; gap: 10px; justify-content: center; margin-bottom: 20px; }
    .pin-row input {
      width: 54px; height: 54px; text-align: center;
      font-size: 24px; font-weight: 700;
      border: 2px solid #1976d2; border-radius: 10px;
      outline: none;
    }
    button {
      width: 100%; padding: 14px;
      background: #1976d2; color: white;
      border: none; border-radius: 10px;
      font-size: 16px; font-weight: 600; cursor: pointer;
    }
    .errore { color: red; font-size: 13px; margin-top: 12px; min-height: 18px; }
    .app { color: #2e7d32; font-size: 18px; }
    .app span { font-size: 48px; display: block; margin-bottom: 16px; }
    .logout {
      margin-top: 20px; font-size: 12px; color: #aaa;
      text-decoration: underline; cursor: pointer; background: none;
      border: none; width: auto; padding: 0; color: #aaa;
    }
  </style>
</head>
<body>

${loggato ? `
  <div class="box">
    <div class="app">
      <span>✅</span>
      Cookie valido!<br>
      <small style="color:#666; font-size:13px;">
        Chiudi la PWA, riaprila e verifica se arrivi ancora qui.
      </small>
    </div>
    <form method="POST" action="/logout" style="margin-top:20px;">
      <button type="submit" style="background:#e53935;">Esci (cancella cookie)</button>
    </form>
  </div>
` : `
  <div class="box">
    <h2>Test PWA</h2>
    <p>PIN di test: <strong>1234</strong></p>
    <div class="pin-row">
      <input id="p1" type="number" inputmode="numeric" maxlength="1"
             oninput="scorri(this,'p2')" onkeydown="canc(event,this,'')">
      <input id="p2" type="number" inputmode="numeric" maxlength="1"
             oninput="scorri(this,'p3')" onkeydown="canc(event,this,'p1')">
      <input id="p3" type="number" inputmode="numeric" maxlength="1"
             oninput="scorri(this,'p4')" onkeydown="canc(event,this,'p2')">
      <input id="p4" type="number" inputmode="numeric" maxlength="1"
             oninput="scorri(this,'')"  onkeydown="canc(event,this,'p3')">
    </div>
    <button onclick="login()">Entra</button>
    <div class="errore" id="err"></div>
  </div>
`}

<script>
function scorri(el, next) {
  if (el.value.length > 1) el.value = el.value.slice(-1);
  if (el.value && next) document.getElementById(next).focus();
  if (!next) {
    const pin = leggiPin();
    if (pin.length === 4) login();
  }
}
function canc(e, el, prev) {
  if (e.key === "Backspace" && !el.value && prev)
    document.getElementById(prev).focus();
}
function leggiPin() {
  return ["p1","p2","p3","p4"].map(id => document.getElementById(id).value).join("");
}
async function login() {
  const pin = leggiPin();
  if (pin.length < 4) { document.getElementById("err").textContent = "Inserisci 4 cifre"; return; }
  const res = await fetch("/login", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ pin }),
    credentials: "same-origin"
  });
  const data = await res.json();
  if (data.ok) {
    location.reload();
  } else {
    document.getElementById("err").textContent = "PIN errato";
    ["p1","p2","p3","p4"].forEach(id => document.getElementById(id).value = "");
    document.getElementById("p1").focus();
  }
}
</script>

</body>
</html>`;

  return new Response(html, {
    headers: { "Content-Type": "text/html;charset=UTF-8" }
  });
}