import NextAuth, { type NextAuthOptions } from "next-auth";
import type { OAuthConfig } from "next-auth/providers/oauth";
import {
  getAuthMode,
  getOidcProviderName,
  getRequiredAuthSecret,
  mapOidcProfile,
  type OidcProfile,
} from "@/lib/auth-config";

const authMode = getAuthMode();

function oidcProvider(): OAuthConfig<OidcProfile> {
  return {
    id: "oidc",
    name: getOidcProviderName(),
    type: "oauth",
    wellKnown: `${process.env.OIDC_ISSUER}/.well-known/openid-configuration`,
    authorization: { params: { scope: "openid profile email" } },
    checks: ["pkce", "state"],
    clientId: process.env.OIDC_CLIENT_ID,
    clientSecret: process.env.OIDC_CLIENT_SECRET,
    idToken: true,
    profile(profile) {
      return mapOidcProfile(profile);
    },
  };
}

const authOptions: NextAuthOptions = {
  providers: authMode.enabled ? [oidcProvider()] : [],
  secret: authMode.enabled ? getRequiredAuthSecret() : "auth-disabled",
  session: {
    strategy: "jwt",
  },
};

const handler = authMode.enabled
  ? NextAuth(authOptions)
  : function authDisabled() {
      return Response.json(
        { error: authMode.error ?? "OIDC authentication is not configured." },
        { status: authMode.error ? 500 : 404 }
      );
    };

export { handler as GET, handler as POST };