import NextAuth from "next-auth"
import ZITADEL from "next-auth/providers/zitadel"

export const { handlers, auth, signIn, signOut } = NextAuth({
  trustHost: true,
  providers: [
    ZITADEL({
      clientId: process.env.ZITADEL_CLIENT_ID!,
      clientSecret: process.env.ZITADEL_CLIENT_SECRET!,
      issuer: process.env.ZITADEL_ISSUER,
    }),
  ],
  callbacks: {
    async jwt({ token, account }) {
      // account is only present on the initial sign-in
      if (account?.access_token) {
        const res = await fetch(
          `${process.env.ZITADEL_ISSUER}/oidc/v1/userinfo`,
          { headers: { Authorization: `Bearer ${account.access_token}` } }
        )
        const userinfo = await res.json()
        console.log("[auth] ZITADEL userinfo:", JSON.stringify(userinfo, null, 2))
        const fullName = userinfo.given_name || userinfo.family_name
          ? [userinfo.given_name, userinfo.family_name].filter(Boolean).join(" ")
          : null
        token.name = userinfo.name || fullName || userinfo.preferred_username || userinfo.email || token.name
      }
      return token
    },
    session({ session, token }) {
      if (token.name) session.user.name = token.name as string
      return session
    },
  },
})