namespace Campaign_Tracker.Server.Authentication;

public sealed class KeycloakOptions
{
    public const string SectionName = "Keycloak";

    public string Authority { get; init; } = "https://kci-app01.ntp.kentcommunications.com/realms/KCI";
    public string? MetadataAddress { get; init; }
    public string? ValidIssuer { get; init; }
    public string PublicAuthority { get; init; } = "https://kci-app01.ntp.kentcommunications.com/realms/KCI";
    public string ClientId { get; init; } = "canopy-web";
    public string? ClientSecret { get; init; }
    public string? Audience { get; init; }
    public string[]? Audiences { get; init; }
    public bool DisableHttpsMetadata { get; init; }
    public string? TestSigningKey { get; init; }

    public string TokenAudience => string.IsNullOrWhiteSpace(Audience) ? ClientId : Audience;

    // Keycloak's default access token carries aud="account" (the realm's
    // built-in account client). Resource-server audience validation must
    // accept that alongside our own ClientId, otherwise every legitimate
    // token fails validation with SecurityTokenInvalidAudienceException.
    public string[] TokenAudiences =>
        Audiences is { Length: > 0 } configured
            ? configured
            : [TokenAudience, "account"];

    public string TokenIssuer =>
        string.IsNullOrWhiteSpace(ValidIssuer) ? PublicAuthority : ValidIssuer;

    public string TokenEndpointAuthority =>
        string.IsNullOrWhiteSpace(PublicAuthority) ? Authority : PublicAuthority;
}