using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.Extensions.DependencyInjection;

namespace ScadaLink.Security;

public static class ServiceCollectionExtensions
{
    public static IServiceCollection AddSecurity(this IServiceCollection services)
    {
        services.AddScoped<LdapAuthService>();
        services.AddScoped<JwtTokenService>();
        services.AddScoped<RoleMapper>();

        // Register ASP.NET Core authentication with cookie scheme
        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(options =>
            {
                options.LoginPath = "/login";
                options.LogoutPath = "/auth/logout";
                options.Cookie.Name = "ScadaLink.Auth";
                options.Cookie.HttpOnly = true;
                options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
                // The cookie carries the embedded JWT (a bearer credential); never
                // transmit it over plain HTTP. Design: "HttpOnly and Secure (requires HTTPS)".
                options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
            });

        services.AddScadaLinkAuthorization();

        return services;
    }

    public static IServiceCollection AddSecurityActors(this IServiceCollection services)
    {
        // Phase 0: placeholder for Akka actor registration
        return services;
    }
}