// Auth configuration from environment variables

export const authConfig = {
  // OIDC Configuration
  oidc: {
    issuer: process.env.OIDC_ISSUER,
    clientId: process.env.OIDC_CLIENT_ID,
    clientSecret: process.env.OIDC_CLIENT_SECRET,
    redirectUri: process.env.OIDC_REDIRECT_URI,
    scopes: ['openid', 'profile', 'email', 'groups', 'offline_access'],
  },

  // Session Configuration
  session: {
    secret: process.env.SESSION_SECRET,
    name: 'claude.sid',
    domain: process.env.SESSION_DOMAIN || undefined,
    secure: process.env.SESSION_SECURE === 'true',
    maxAge: parseInt(process.env.SESSION_MAX_AGE) || 86400000, // 24 hours
  },

  // Redis Configuration
  redis: {
    url: process.env.REDIS_URL || 'redis://localhost:6379',
  },

  // App Configuration
  app: {
    frontendUrl: process.env.FRONTEND_URL || 'http://localhost:5173',
    authEnabled: process.env.AUTH_ENABLED !== 'false',
  },

  // Group Configuration (must match Authentik group names)
  groups: {
    admin: 'agent-admins',
    users: 'agent-users',
    allowedGroups: ['agent-admins', 'agent-users'],
  },
};

// Validate required config
export function validateConfig() {
  const { oidc, session, app } = authConfig;
  const errors = [];

  if (app.authEnabled) {
    if (!oidc.issuer) errors.push('OIDC_ISSUER is required');
    if (!oidc.clientId) errors.push('OIDC_CLIENT_ID is required');
    if (!oidc.clientSecret) errors.push('OIDC_CLIENT_SECRET is required');
    if (!oidc.redirectUri) errors.push('OIDC_REDIRECT_URI is required');
    if (!session.secret) errors.push('SESSION_SECRET is required');
  }

  if (errors.length > 0) {
    console.error('Auth configuration errors:', errors);
    return false;
  }

  return true;
}

export default authConfig;