namespace ScadaLink.Security;

public class SecurityOptions
{
    public string LdapServer { get; set; } = string.Empty;
    public int LdapPort { get; set; } = 389;
    public bool LdapUseTls { get; set; } = true;

    /// <summary>
    /// Allow insecure (non-TLS) LDAP connections. ONLY for dev/test with GLAuth.
    /// Must be false in production.
    /// </summary>
    public bool AllowInsecureLdap { get; set; } = false;

    /// <summary>
    /// Base DN for LDAP searches (e.g., "dc=example,dc=com").
    /// </summary>
    public string LdapSearchBase { get; set; } = string.Empty;

    /// <summary>
    /// Service account DN for LDAP user searches (e.g., "cn=admin,dc=example,dc=com").
    /// Required for search-then-bind authentication. If empty, direct bind with
    /// cn={username},{LdapSearchBase} is attempted instead.
    /// </summary>
    public string LdapServiceAccountDn { get; set; } = string.Empty;

    /// <summary>
    /// Service account password for LDAP user searches.
    /// </summary>
    public string LdapServiceAccountPassword { get; set; } = string.Empty;

    /// <summary>
    /// LDAP attribute that contains the user's display name.
    /// </summary>
    public string LdapDisplayNameAttribute { get; set; } = "cn";

    /// <summary>
    /// LDAP attribute that contains group membership.
    /// </summary>
    public string LdapGroupAttribute { get; set; } = "memberOf";

    public string JwtSigningKey { get; set; } = string.Empty;
    public int JwtExpiryMinutes { get; set; } = 15;
    public int IdleTimeoutMinutes { get; set; } = 30;

    /// <summary>
    /// Minutes before token expiry to trigger refresh.
    /// </summary>
    public int JwtRefreshThresholdMinutes { get; set; } = 5;
}