// src/setupMiddleware.js

const router = require("express").Router();
const { TRUST_PROXY } = require("../constants/middlewareConstants");
const { meta, session } = require("../config/loader");
const { requiresAuth } = require("express-openid-connect");
const { baseUrl } = require("../utils/baseUrl.js");

const cookieParser = require("cookie-parser");
router.use(cookieParser());

const debug = async (req, res) => {
  try {
    const tokenSet = req.oidc.tokenSet;
    const username = req.oidc?.user?.name ?? undefined;

    let userinfo;
    try {
      userinfo = await req.oidc.fetchUserInfo();
    } catch (e) {
      userinfo = e.message;
    }

    const diagnostics = {
      session,
      "req.cookies": req.cookies,
      "req.signedCookies": req.signedCookies,
      "req.oidc.fetchUserInfo()": userinfo,
      "req.locals.session": res.locals.session || "unset",
      "req.oidc.user": req.oidc.user || "unset",

      metadata: {
        "trust-proxy": TRUST_PROXY,
        baseUrl,
        user: username,
        // 1. Connection Security (Critical for Access Tokens)
        protocol: req.protocol,
        isSecure: req.secure, // If this is false, the SDK drops the access_token
        // 2. Auth State
        isAuthenticated: req.oidc.isAuthenticated(),

        // 3. Token Inventory (What the library actually holds)
        tokensInStore: tokenSet ? Object.keys(tokenSet) : "NONE",

        // 4. Scopes (What was actually granted by Authelia)
        grantedScopes: tokenSet?.scope,
        "req.openidTokens": req.openidTokens ?? "not set",
      },
    };

    // Log to console for persistent record
    console.warn("--- DIAGNOSTIC DATA ---");
    res.send("<pre>" + JSON.stringify(diagnostics, null, 2) + "</pre>");

    // res.json(diagnostics);
  } catch (e) {
    res.json(e.stack);
  }
};

router.get("/debug", debug);

const { claimIncludes } = require("express-openid-connect");

router.get("/debug/claim", claimIncludes("groups", "guests"), debug);

module.exports = router;