import type { Client } from 'openid-client';
import { generators } from 'openid-client';
import { Request, Response } from 'express';

export function setupAuthRoutes(app: any, client: Client, redirectUri: string, scope: string, cookieOptionsBase: any) {
  app.get('/auth/login', (req: Request, res: Response) => {
    const code_verifier = generators.codeVerifier();
    const code_challenge = generators.codeChallenge(code_verifier);
    res.cookie('pkce_verifier', code_verifier, { ...cookieOptionsBase, maxAge: 600000 });
    const authUrl = client.authorizationUrl({ scope, code_challenge, code_challenge_method: 'S256', redirect_uri: redirectUri });
    res.redirect(authUrl);
  });

  app.get('/auth/callback', async (req: Request, res: Response) => {
    const params = client.callbackParams(req);
    const verifier = req.signedCookies['pkce_verifier'];
    const tokenSet = await client.callback(redirectUri, params, { code_verifier: verifier });
    res.clearCookie('pkce_verifier');
    res.cookie('access_token', tokenSet.access_token, { ...cookieOptionsBase });
    res.cookie('id_token', tokenSet.id_token, { ...cookieOptionsBase });
    res.redirect('/');
  });

  app.get('/api/userinfo', async (req: Request, res: Response) => {
    const access = req.signedCookies['access_token'];
    if (!access) return res.status(401).json({ error: 'unauthorized' });
    const userinfo = await client.userinfo(access);
    res.json(userinfo);
  });

  app.post('/auth/logout', (_req: Request, res: Response) => {
    res.clearCookie('access_token');
    res.clearCookie('id_token');
    res.clearCookie('refresh_token');
    res.json({ ok: true });
  });
}