// Sample service with intentional violations for demo purposes
package com.reltio.demo;

import org.springframework.web.bind.annotation.*;

// SEC-003 VIOLATION: Missing @ReltioSecured annotation
@RestController
@RequestMapping("/api/users")
public class UserController {

    private final UserRepository repo;

    public UserController(UserRepository repo) {
        this.repo = repo;
    }

    // SEC-001 VIOLATION: Raw request parameter access
    // SEC-002 VIOLATION: SQL string concatenation
    @GetMapping("/search")
    public List<User> search(HttpServletRequest request) {
        String name = request.getParameter("name");
        return repo.query("SELECT * FROM users WHERE name = '" + name + "'");
    }

    // COMPLIANT: Validated input, parameterized query, auth annotation
    @ReltioSecured(resource = "users", privilege = "READ")
    @GetMapping("/{id}")
    public User getById(@PathVariable @Valid Long id) {
        return repo.findById(id);
    }

    // SEC-004 VIOLATION: Hardcoded secret
    private static final String API_SECRET = "sk-reltio-prod-a8f3b2c1d4e5f6789";

    // OPS-002 VIOLATION: Raw stdout logging
    @PostMapping
    @ReltioSecured(resource = "users", privilege = "WRITE")
    public User create(@RequestBody @Valid CreateUserRequest req) {
        System.out.println("Creating user: " + req.getName());
        return repo.save(req.toUser());
    }
}