package hwsauth

import (
	"git.haelnorr.com/h/golib/env"
	"git.haelnorr.com/h/golib/jwt"
	"github.com/pkg/errors"
)

type Config struct {
	SSL                bool   // ENV HWSAUTH_SSL: Flag for SSL Mode (default: false)
	TrustedHost        string // ENV HWSAUTH_TRUSTED_HOST: Full server address to accept as trusted SSL host (required if SSL is true)
	SecretKey          string // ENV HWSAUTH_SECRET_KEY: Secret key for signing tokens (required)
	AccessTokenExpiry  int64  // ENV HWSAUTH_ACCESS_TOKEN_EXPIRY: Access token expiry in minutes (default: 5)
	RefreshTokenExpiry int64  // ENV HWSAUTH_REFRESH_TOKEN_EXPIRY: Refresh token expiry in minutes (default: 1440)
	TokenFreshTime     int64  // ENV HWSAUTH_TOKEN_FRESH_TIME: Time for tokens to stay fresh in minutes (default: 5)
	LandingPage        string // ENV HWSAUTH_LANDING_PAGE: Path of the desired landing page for logged in users (default: "/profile")
	DatabaseType       string // ENV HWSAUTH_DATABASE_TYPE: Database type (postgres, mysql, sqlite, mariadb) (default: "postgres")
	DatabaseVersion    string // ENV HWSAUTH_DATABASE_VERSION: Database version (default: "15")
	JWTTableName       string // ENV HWSAUTH_JWT_TABLE_NAME: JWT blacklist table name (default: "jwtblacklist")
}

func ConfigFromEnv() (*Config, error) {
	ssl := env.Bool("HWSAUTH_SSL", false)
	trustedHost := env.String("HWS_TRUSTED_HOST", "")
	if ssl && trustedHost == "" {
		return nil, errors.New("SSL is enabled and no HWS_TRUSTED_HOST set")
	}
	cfg := &Config{
		SSL:                ssl,
		TrustedHost:        trustedHost,
		SecretKey:          env.String("HWSAUTH_SECRET_KEY", ""),
		AccessTokenExpiry:  env.Int64("HWSAUTH_ACCESS_TOKEN_EXPIRY", 5),
		RefreshTokenExpiry: env.Int64("HWSAUTH_REFRESH_TOKEN_EXPIRY", 1440),
		TokenFreshTime:     env.Int64("HWSAUTH_TOKEN_FRESH_TIME", 5),
		LandingPage:        env.String("HWSAUTH_LANDING_PAGE", "/profile"),
		DatabaseType:       env.String("HWSAUTH_DATABASE_TYPE", jwt.DatabasePostgreSQL),
		DatabaseVersion:    env.String("HWSAUTH_DATABASE_VERSION", "15"),
		JWTTableName:       env.String("HWSAUTH_JWT_TABLE_NAME", "jwtblacklist"),
	}

	if cfg.SecretKey == "" {
		return nil, errors.New("Envar not set: HWSAUTH_SECRET_KEY")
	}

	return cfg, nil
}