package handlers

import (
	"encoding/json"
	"net/http"

	"gitlab.com/unboundsoftware/auth0mock/auth"
)

// DiscoveryHandler handles OIDC discovery endpoints
type DiscoveryHandler struct {
	jwtService *auth.JWTService
}

// NewDiscoveryHandler creates a new discovery handler
func NewDiscoveryHandler(jwtService *auth.JWTService) *DiscoveryHandler {
	return &DiscoveryHandler{
		jwtService: jwtService,
	}
}

// OpenIDConfiguration returns the OIDC discovery document
func (h *DiscoveryHandler) OpenIDConfiguration(w http.ResponseWriter, r *http.Request) {
	issuer := h.jwtService.Issuer()

	config := map[string]interface{}{
		"issuer":                                issuer,
		"authorization_endpoint":               issuer + "authorize",
		"token_endpoint":                        issuer + "oauth/token",
		"token_endpoint_auth_methods_supported": []string{"client_secret_basic", "private_key_jwt"},
		"token_endpoint_auth_signing_alg_values_supported": []string{"RS256"},
		"userinfo_endpoint":                     issuer + "userinfo",
		"check_session_iframe":                  issuer + "check_session",
		"end_session_endpoint":                  issuer + "end_session",
		"jwks_uri":                              issuer + ".well-known/jwks.json",
		"registration_endpoint":                 issuer + "register",
		"scopes_supported":                      []string{"openid", "profile", "email", "address", "phone", "offline_access"},
		"response_types_supported":              []string{"code", "code id_token", "id_token", "id_token token"},
		"acr_values_supported":                  []string{},
		"subject_types_supported":               []string{"public", "pairwise"},
		"userinfo_signing_alg_values_supported": []string{"RS256", "ES256", "HS256"},
		"userinfo_encryption_alg_values_supported": []string{"RSA-OAEP-256", "A128KW"},
		"userinfo_encryption_enc_values_supported": []string{"A128CBC-HS256", "A128GCM"},
		"id_token_signing_alg_values_supported":    []string{"RS256", "ES256", "HS256"},
		"id_token_encryption_alg_values_supported": []string{"RSA-OAEP-256", "A128KW"},
		"id_token_encryption_enc_values_supported": []string{"A128CBC-HS256", "A128GCM"},
		"request_object_signing_alg_values_supported": []string{"none", "RS256", "ES256"},
		"display_values_supported":              []string{"page", "popup"},
		"claim_types_supported":                 []string{"normal", "distributed"},
		"claims_supported": []string{
			"sub", "iss", "auth_time", "acr",
			"name", "given_name", "family_name", "nickname",
			"profile", "picture", "website",
			"email", "email_verified", "locale", "zoneinfo",
			h.jwtService.EmailClaim(), h.jwtService.AdminClaim(),
		},
		"claims_parameter_supported": true,
		"service_documentation":      "http://auth0/",
		"ui_locales_supported":       []string{"en-US"},
		"code_challenge_methods_supported": []string{"plain", "S256"},
	}

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(config)
}

// JWKS returns the JSON Web Key Set
func (h *DiscoveryHandler) JWKS(w http.ResponseWriter, r *http.Request) {
	jwks, err := h.jwtService.GetJWKS()
	if err != nil {
		http.Error(w, "Failed to get JWKS", http.StatusInternalServerError)
		return
	}

	w.Header().Set("Content-Type", "application/json")
	w.Write(jwks)
}