namespace ZB.MOM.WW.MxGateway.Server.Dashboard;

public static class DashboardAuthenticationDefaults
{
    /// <summary>Cookie scheme used to authenticate interactive dashboard requests.</summary>
    public const string AuthenticationScheme = "MxGateway.Dashboard";

    /// <summary>
    /// Bearer scheme used to authenticate SignalR hub connections. Hubs cannot
    /// reuse the browser's HttpOnly cookie when the client SignalR JS resolves
    /// the cookie scope to loopback, so the dashboard mints a short-lived
    /// data-protected bearer token on demand.
    /// </summary>
    public const string HubAuthenticationScheme = "MxGateway.Dashboard.HubToken";

    /// <summary>
    /// Policy guarding read-only dashboard pages. Allowed roles:
    /// <see cref="DashboardRoles.Admin"/> or <see cref="DashboardRoles.Viewer"/>.
    /// </summary>
    public const string ViewerPolicy = "MxGateway.Dashboard.Viewer";

    /// <summary>
    /// Policy guarding write-capable dashboard pages and admin endpoints
    /// (API-key CRUD, settings edits, hub publishes). Allowed role:
    /// <see cref="DashboardRoles.Admin"/>.
    /// </summary>
    public const string AdminPolicy = "MxGateway.Dashboard.Admin";

    /// <summary>
    /// Policy attached to SignalR hubs — accepts either the cookie scheme
    /// (in-page connect) or the hub-token bearer scheme (cross-origin or
    /// WebSocket connect where the cookie can't be forwarded).
    /// </summary>
    public const string HubClientsPolicy = "MxGateway.Dashboard.HubClients";

    public const string LdapGroupClaimType = "mxgateway:ldap_group";
    public const string KeyPrefixClaimType = "mxgateway:key_prefix";
    public const string CookieName = "__Host-MxGatewayDashboard";
}