package auth

import "time"

// User represents an authenticated user stored in the database.
type User struct {
	ID           string `json:"id"`
	Username     string `json:"username"`
	PasswordHash string `json:"-"`
	Email        string `json:"email"`
	Role         string `json:"role"` // admin, viewer
	CreatedAt    string `json:"created_at"`
	UpdatedAt    string `json:"updated_at"`
}

// AuthSettings holds the authentication configuration (single-row pattern).
type AuthSettings struct {
	AuthMode         string `json:"auth_mode"` // local, oidc
	OIDCClientID     string `json:"oidc_client_id"`
	OIDCClientSecret string `json:"-"`
	OIDCIssuerURL    string `json:"oidc_issuer_url"`
	OIDCRedirectURL  string `json:"oidc_redirect_url"`
}

// Claims represents the JWT token claims.
type Claims struct {
	UserID   string `json:"user_id"`
	Username string `json:"username"`
	Role     string `json:"role"`
}

// SessionToken is the response sent to the client after successful authentication.
type SessionToken struct {
	Token     string    `json:"token"`
	ExpiresAt time.Time `json:"expires_at"`
}

// LoginRequest is the expected JSON body for the login endpoint.
type LoginRequest struct {
	Username string `json:"username"`
	Password string `json:"password"`
}