/**
 * OIDC Provider configuration for Ghost Guild.
 *
 * ghostguild.org acts as the identity provider. Outline wiki is the sole
 * relying party (client). Members authenticate via the existing magic-link
 * flow, and the provider issues standard OIDC tokens so Outline can identify
 * them.
 */
import Provider from "oidc-provider";
import { MongoAdapter } from "./oidc-mongodb-adapter.js";
import Member from "../models/member.js";
import { connectDB } from "./mongoose.js";

let _provider: InstanceType<typeof Provider> | null = null;

export async function getOidcProvider() {
  if (_provider) return _provider;

  const config = useRuntimeConfig();
  const issuer =
    process.env.OIDC_ISSUER || config.public.appUrl || "https://ghostguild.org";

  _provider = new Provider(issuer, {
    adapter: MongoAdapter,

    clients: [
      {
        client_id: process.env.OIDC_CLIENT_ID || "outline-wiki",
        client_secret: process.env.OIDC_CLIENT_SECRET || "",
        redirect_uris: [
          "https://wiki.ghostguild.org/auth/oidc.callback",
          // Local development callback
          "http://localhost:3100/auth/oidc.callback",
        ],
        post_logout_redirect_uris: [
          "https://wiki.ghostguild.org",
          "http://localhost:3100",
        ],
        grant_types: ["authorization_code", "refresh_token"],
        response_types: ["code"],
        token_endpoint_auth_method: "client_secret_post",
      },
    ],

    claims: {
      openid: ["sub"],
      profile: ["name", "preferred_username"],
      email: ["email", "email_verified"],
    },

    scopes: ["openid", "profile", "email", "offline_access"],

    findAccount: async (_ctx: unknown, id: string) => {
      await connectDB();
      const member = await (Member as any).findById(id);
      if (!member) return undefined;

      return {
        accountId: id,
        async claims(_use: string, _scope: string) {
          return {
            sub: id,
            name: member.name,
            preferred_username: member.name,
            email: member.email,
            email_verified: true,
          };
        },
      };
    },

    cookies: {
      keys: (process.env.OIDC_COOKIE_SECRET || "dev-cookie-secret").split(","),
    },

    ttl: {
      AccessToken: 3600, // 1 hour
      AuthorizationCode: 600, // 10 minutes
      RefreshToken: 14 * 24 * 60 * 60, // 14 days
      Session: 14 * 24 * 60 * 60, // 14 days
      Interaction: 600, // 10 minutes
      Grant: 14 * 24 * 60 * 60, // 14 days
    },

    features: {
      devInteractions: {
        enabled: process.env.NODE_ENV !== "production",
      },
      revocation: { enabled: true },
      rpInitiatedLogout: { enabled: true },
    },

    // Mount all OIDC endpoints under /oidc prefix
    routes: {
      authorization: "/oidc/auth",
      backchannel_authentication: "/oidc/backchannel",
      code_verification: "/oidc/device",
      device_authorization: "/oidc/device/auth",
      end_session: "/oidc/session/end",
      introspection: "/oidc/token/introspection",
      jwks: "/oidc/jwks",
      pushed_authorization_request: "/oidc/request",
      registration: "/oidc/reg",
      revocation: "/oidc/token/revocation",
      token: "/oidc/token",
      userinfo: "/oidc/me",
    },

    interactions: {
      url(_ctx: unknown, interaction: { uid: string }) {
        return `/oidc/interaction/${interaction.uid}`;
      },
    },

    // Allow Outline to use PKCE but don't require it
    pkce: {
      required: () => false,
    },

    // Skip consent for our first-party Outline client
    loadExistingGrant: async (ctx: any) => {
      const grant = new (ctx.oidc.provider.Grant as any)({
        accountId: ctx.oidc.session!.accountId,
        clientId: ctx.oidc.client!.clientId,
      });
      grant.addOIDCScope("openid profile email");
      await grant.save();
      return grant;
    },
  });

  return _provider;
}