import 'dotenv/config';
import cors from 'cors';
import express from 'express';
import { initAuth, requireAccessToken } from './middleware/auth.js';

function resolveIssuer() {
  if (process.env.OIDC_ISSUER?.trim()) {
    const issuer = process.env.OIDC_ISSUER.trim();
    return issuer.endsWith('/') ? issuer : `${issuer}/`;
  }
  const base = process.env.AUTHENTIK_URL?.trim();
  const slug = process.env.OIDC_APP_SLUG?.trim() || 'oidc-demo';
  if (!base) return null;
  return `${base.replace(/\/+$/, '')}/application/o/${slug}/`;
}

const port = Number(process.env.PORT) || 3001;
const oidcIssuer = resolveIssuer();
const corsOrigin = process.env.CORS_ORIGIN ?? 'http://localhost:5173';

if (!oidcIssuer) {
  console.error(
    'Set OIDC_ISSUER or AUTHENTIK_URL + OIDC_APP_SLUG in backend/.env',
  );
  process.exit(1);
}

initAuth({
  oidcIssuer,
  oidcAudience: process.env.OIDC_AUDIENCE,
});

const app = express();

app.use(
  cors({
    origin: corsOrigin,
    credentials: true,
  }),
);

app.get('/health', (_req, res) => {
  res.json({ status: 'ok', issuer: oidcIssuer });
});

app.get('/api/me', requireAccessToken, (req, res) => {
  res.json({
    message: 'Authorized via access token',
    sub: req.auth.sub,
    email: req.auth.email,
    name: req.auth.name,
    scopes: req.auth.scope,
  });
});

app.listen(port, () => {
  console.log(`API listening on http://localhost:${port}`);
  console.log(`OIDC issuer: ${oidcIssuer}`);
});