/**
 * Catch-all route that delegates all /oidc/* requests to the oidc-provider.
 *
 * This exposes the standard OIDC endpoints:
 *   /oidc/auth          — authorization
 *   /oidc/token         — token exchange
 *   /oidc/me            — userinfo
 *   /oidc/session/end   — logout
 *   /oidc/jwks          — JSON Web Key Set
 */
import { getOidcProvider } from "../../utils/oidc-provider.js";

export default defineEventHandler(async (event) => {
  const provider = await getOidcProvider();
  const { req, res } = event.node;

  // The provider's routes config includes the /oidc prefix,
  // so pass the full path through without stripping.

  // In production, Traefik sets X-Forwarded-Proto: https. Keep a defensive
  // assignment only if the header isn't already present, and never in dev
  // (where forcing https would make oidc-provider emit https://localhost URLs
  // that the browser can't reach). The provider has app.proxy = true, so it
  // honors whatever value is in this header.
  if (
    process.env.NODE_ENV === "production" &&
    !req.headers["x-forwarded-proto"]
  ) {
    req.headers["x-forwarded-proto"] = "https";
  }

  // Hand off to oidc-provider's Connect-style callback
  const callback = provider.callback() as Function;
  await new Promise<void>((resolve, reject) => {
    callback(req, res, (err: unknown) => {
      if (err) reject(err);
      else resolve();
    });
  });
});