import 'dotenv/config';

import cors from 'cors';
import express from 'express';
import { auth } from 'express-openid-connect';

const app = express();

const port = Number(process.env.PORT ?? 3001);
const frontendOrigin = process.env.FRONTEND_ORIGIN ?? 'http://localhost:5173';

const oidcConfig = {
  authRequired: false,
  auth0Logout: false,
  secret: process.env.SESSION_SECRET ?? 'change-me-in-env',
  baseURL: process.env.BASE_URL ?? `http://localhost:${port}`,
  clientID: process.env.OIDC_CLIENT_ID ?? '',
  issuerBaseURL: process.env.OIDC_ISSUER_BASE_URL ?? '',
  clientSecret: process.env.OIDC_CLIENT_SECRET ?? '',
  authorizationParams: {
    response_type: 'code',
    scope: process.env.OIDC_SCOPE ?? 'openid profile email',
  },
};

if (!oidcConfig.clientID || !oidcConfig.issuerBaseURL || !oidcConfig.clientSecret) {
  // Keep a clear startup failure if OIDC is not configured.
  throw new Error(
    'OIDC config is missing. Set OIDC_ISSUER_BASE_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in server/.env',
  );
}

app.use(
  cors({
    origin: frontendOrigin,
    credentials: true,
  }),
);
app.use(express.json());

app.use(auth(oidcConfig));

app.get('/api/health', (_req, res) => {
  res.json({ ok: true });
});

app.get('/api/me', (req, res) => {
  if (!req.oidc.isAuthenticated()) {
    res.status(401).json({ authenticated: false });
    return;
  }

  res.json({
    authenticated: true,
    user: req.oidc.user,
  });
});

app.get('/api/login', (req, res) => {
  res.oidc.login({
    returnTo: frontendOrigin,
  });
});

app.get('/api/logout', (req, res) => {
  res.oidc.logout({
    returnTo: frontendOrigin,
  });
});

app.listen(port, () => {
  console.log(`OIDC auth server listening on http://localhost:${port}`);
});