use compliance_core::models::auth::AuthInfo;
use dioxus::prelude::*;

/// Check the current user's authentication state.
///
/// Reads the tower-sessions session on the server and returns an
/// [`AuthInfo`] describing the logged-in user. When no valid session
/// exists, `authenticated` is `false` and all other fields are empty.
#[server(endpoint = "check-auth")]
pub async fn check_auth() -> Result<AuthInfo, ServerFnError> {
    use super::auth::LOGGED_IN_USER_SESS_KEY;
    use super::server_state::ServerState;
    use super::user_state::UserStateInner;
    use dioxus_fullstack::FullstackContext;

    let state: ServerState = FullstackContext::extract().await?;

    // When Keycloak is not configured, treat as always authenticated
    if state.keycloak.is_none() {
        return Ok(AuthInfo {
            authenticated: true,
            name: "Local User".into(),
            ..Default::default()
        });
    }

    let session: tower_sessions::Session = FullstackContext::extract().await?;

    let user_state: Option<UserStateInner> = session
        .get(LOGGED_IN_USER_SESS_KEY)
        .await
        .map_err(|e| ServerFnError::new(format!("session read failed: {e}")))?;

    match user_state {
        Some(u) => Ok(AuthInfo {
            authenticated: true,
            sub: u.sub,
            email: u.user.email,
            name: u.user.name,
            avatar_url: u.user.avatar_url,
        }),
        None => Ok(AuthInfo::default()),
    }
}