/**
 * Authentication and authorization interfaces
 */

// =============================================================================
// User Types
// =============================================================================

export type TUserStatus = 'active' | 'suspended' | 'pending_verification';

export interface IUser {
  id: string;
  email: string;
  username: string;
  passwordHash: string;
  displayName: string;
  avatarUrl?: string;
  status: TUserStatus;
  emailVerified: boolean;
  mfaEnabled: boolean;
  mfaSecret?: string;
  lastLoginAt?: Date;
  lastLoginIp?: string;
  failedLoginAttempts: number;
  lockedUntil?: Date;
  isPlatformAdmin: boolean;
  createdAt: Date;
  updatedAt: Date;
}

// =============================================================================
// Organization Types
// =============================================================================

export type TOrganizationPlan = 'free' | 'team' | 'enterprise';
export type TOrganizationRole = 'owner' | 'admin' | 'member';

export interface IOrganizationSettings {
  requireMfa: boolean;
  allowPublicRepositories: boolean;
  defaultRepositoryVisibility: TRepositoryVisibility;
  allowedProtocols: TRegistryProtocol[];
}

export interface IOrganization {
  id: string;
  name: string; // URL-safe slug
  displayName: string;
  description?: string;
  avatarUrl?: string;
  website?: string;
  isPublic: boolean;
  memberCount: number;
  plan: TOrganizationPlan;
  settings: IOrganizationSettings;
  billingEmail?: string;
  isVerified: boolean;
  verifiedDomains: string[];
  storageQuotaBytes: number;
  usedStorageBytes: number;
  createdAt: Date;
  updatedAt: Date;
  createdById: string;
}

export interface IOrganizationMember {
  id: string;
  organizationId: string;
  userId: string;
  role: TOrganizationRole;
  invitedBy?: string;
  joinedAt: Date;
  createdAt: Date;
}

// =============================================================================
// Team Types
// =============================================================================

export type TTeamRole = 'maintainer' | 'member';

export interface ITeam {
  id: string;
  organizationId: string;
  name: string;
  description?: string;
  isDefaultTeam: boolean;
  createdAt: Date;
  updatedAt: Date;
}

export interface ITeamMember {
  id: string;
  teamId: string;
  userId: string;
  role: TTeamRole;
  createdAt: Date;
}

// =============================================================================
// Repository Types
// =============================================================================

export type TRepositoryVisibility = 'public' | 'private' | 'internal';
export type TRepositoryRole = 'admin' | 'maintainer' | 'developer' | 'reader';
export type TRegistryProtocol = 'oci' | 'npm' | 'maven' | 'cargo' | 'composer' | 'pypi' | 'rubygems';

export interface IRepository {
  id: string;
  organizationId: string;
  name: string;
  description?: string;
  protocol: TRegistryProtocol;
  visibility: TRepositoryVisibility;
  storageNamespace: string;
  downloadCount: number;
  starCount: number;
  createdAt: Date;
  updatedAt: Date;
  createdById: string;
}

export interface IRepositoryPermission {
  id: string;
  repositoryId: string;
  teamId?: string;
  userId?: string;
  role: TRepositoryRole;
  createdAt: Date;
  grantedById: string;
}

// =============================================================================
// Token Types
// =============================================================================

export interface ITokenScope {
  protocol: TRegistryProtocol | '*';
  organizationId?: string;
  repositoryId?: string;
  actions: TTokenAction[];
}

export type TTokenAction = 'read' | 'write' | 'delete' | '*';

export interface IApiToken {
  id: string;
  userId: string;
  organizationId?: string; // For org-owned tokens
  createdById?: string; // Who created the token (for audit)
  name: string;
  tokenHash: string;
  tokenPrefix: string;
  protocols: TRegistryProtocol[];
  scopes: ITokenScope[];
  expiresAt?: Date;
  lastUsedAt?: Date;
  lastUsedIp?: string;
  usageCount: number;
  isRevoked: boolean;
  revokedAt?: Date;
  revokedReason?: string;
  createdAt: Date;
  createdIp?: string;
}

// =============================================================================
// Session Types
// =============================================================================

export interface ISession {
  id: string;
  userId: string;
  userAgent: string;
  ipAddress: string;
  isValid: boolean;
  invalidatedAt?: Date;
  invalidatedReason?: string;
  lastActivityAt: Date;
  createdAt: Date;
}

// =============================================================================
// JWT Types
// =============================================================================

export interface IJwtPayload {
  sub: string; // User ID
  iss: string; // Issuer
  aud: string; // Audience
  exp: number; // Expiration
  iat: number; // Issued at
  nbf: number; // Not before
  type: 'access' | 'refresh';
  email: string;
  username: string;
  orgs: Array<{
    id: string;
    name: string;
    role: TOrganizationRole;
  }>;
  sessionId: string;
}

// =============================================================================
// Auth Results
// =============================================================================

export interface IAuthResult {
  accessToken: string;
  refreshToken: string;
  expiresIn: number;
  user: IUser;
}

export interface IValidatedToken {
  tokenId: string;
  userId: string;
  username: string;
  protocols: TRegistryProtocol[];
  scopes: ITokenScope[];
}

export interface IAuthorizationResult {
  authorized: boolean;
  reason?: string;
  userId?: string;
}

// =============================================================================
// Permission Types
// =============================================================================

export type TPermissionAction =
  | 'repo:read'
  | 'repo:write'
  | 'repo:delete'
  | 'repo:admin'
  | 'team:read'
  | 'team:write'
  | 'team:admin'
  | 'org:read'
  | 'org:write'
  | 'org:admin'
  | 'token:create'
  | 'token:revoke';

export interface IResource {
  type: 'repository' | 'organization' | 'team' | 'user';
  id: string;
}

// =============================================================================
// Create/Update DTOs
// =============================================================================

export interface ICreateUserDto {
  email: string;
  username: string;
  password: string;
  displayName?: string;
}

export interface ICreateOrganizationDto {
  name: string;
  displayName: string;
  description?: string;
}

export interface ICreateTeamDto {
  name: string;
  description?: string;
}

export interface ICreateRepositoryDto {
  name: string;
  description?: string;
  protocol: TRegistryProtocol;
  visibility?: TRepositoryVisibility;
}

export interface ICreateTokenDto {
  name: string;
  organizationId?: string; // For org-owned tokens
  protocols: TRegistryProtocol[];
  scopes: ITokenScope[];
  expiresAt?: Date;
}

// =============================================================================
// External Authentication Types
// =============================================================================

export type TAuthProviderType = 'oidc' | 'ldap';
export type TAuthProviderStatus = 'active' | 'disabled' | 'testing';

export interface IOAuthConfig {
  clientId: string;
  clientSecretEncrypted: string; // AES-256-GCM encrypted
  issuer: string; // OIDC issuer URL (used for discovery)
  authorizationUrl?: string; // Override discovery
  tokenUrl?: string; // Override discovery
  userInfoUrl?: string; // Override discovery
  scopes: string[];
  callbackUrl: string;
}

export interface ILdapConfig {
  serverUrl: string; // ldap:// or ldaps://
  bindDn: string;
  bindPasswordEncrypted: string; // AES-256-GCM encrypted
  baseDn: string;
  userSearchFilter: string; // e.g., "(uid={{username}})" or "(sAMAccountName={{username}})"
  tlsEnabled: boolean;
  tlsCaCert?: string;
}

export interface IAttributeMapping {
  email: string;
  username: string;
  displayName: string;
  avatarUrl?: string;
  groups?: string;
}

export interface IProvisioningSettings {
  jitEnabled: boolean; // Create user on first login
  autoLinkByEmail: boolean; // Link to existing user by email match
  allowedEmailDomains?: string[]; // Restrict to specific domains
}

export interface IAuthProvider {
  id: string;
  name: string;
  displayName: string;
  type: TAuthProviderType;
  status: TAuthProviderStatus;
  priority: number;
  oauthConfig?: IOAuthConfig;
  ldapConfig?: ILdapConfig;
  attributeMapping: IAttributeMapping;
  provisioning: IProvisioningSettings;
  createdAt: Date;
  updatedAt: Date;
  createdById: string;
  lastTestedAt?: Date;
  lastTestResult?: 'success' | 'failure';
  lastTestError?: string;
}

export interface IExternalIdentity {
  id: string;
  userId: string;
  providerId: string;
  externalId: string;
  externalEmail?: string;
  externalUsername?: string;
  rawAttributes?: Record<string, unknown>;
  lastLoginAt?: Date;
  createdAt: Date;
}

export interface IPlatformAuthSettings {
  localAuthEnabled: boolean;
  allowUserRegistration: boolean;
  sessionDurationMinutes: number;
  defaultProviderId?: string;
}

export interface IPlatformSettings {
  id: string;
  auth: IPlatformAuthSettings;
  updatedAt: Date;
  updatedById?: string;
}

// External auth flow types
export interface IExternalUserInfo {
  externalId: string;
  email: string;
  username?: string;
  displayName?: string;
  avatarUrl?: string;
  groups?: string[];
  rawAttributes: Record<string, unknown>;
}

export interface IConnectionTestResult {
  success: boolean;
  latencyMs: number;
  serverInfo?: Record<string, unknown>;
  error?: string;
}

export interface IExternalAuthResult {
  success: boolean;
  user?: IUser;
  accessToken?: string;
  refreshToken?: string;
  sessionId?: string;
  isNewUser?: boolean;
  errorCode?: string;
  errorMessage?: string;
}

// Admin DTOs
export interface ICreateAuthProviderDto {
  name: string;
  displayName: string;
  type: TAuthProviderType;
  oauthConfig?: IOAuthConfig;
  ldapConfig?: ILdapConfig;
  attributeMapping?: IAttributeMapping;
  provisioning?: IProvisioningSettings;
}

export interface IUpdateAuthProviderDto {
  displayName?: string;
  status?: TAuthProviderStatus;
  priority?: number;
  oauthConfig?: Partial<IOAuthConfig>;
  ldapConfig?: Partial<ILdapConfig>;
  attributeMapping?: Partial<IAttributeMapping>;
  provisioning?: Partial<IProvisioningSettings>;
}