defmodule SsoBsnWeb.Router do
  use SsoBsnWeb, :router

  import SsoBsnWeb.UserAuth

  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_live_flash
    plug :put_root_layout, html: {SsoBsnWeb.Layouts, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug :fetch_current_user
  end

  pipeline :api do
    plug :accepts, ["json"]
  end

  scope "/", SsoBsnWeb do
    pipe_through :browser

    get "/", PageController, :home
    get "/redirect", UserSessionController, :redirect_next
  end

  # Other scopes may use custom stacks.
  # scope "/api", SsoBsnWeb do
  #   pipe_through :api
  # end

  # Enable LiveDashboard in development
  if Application.compile_env(:sso_bsn, :dev_routes) do
    # If you want to use the LiveDashboard in production, you should put
    # it behind authentication and allow only admins to access it.
    # If your application does not have an admins-only section yet,
    # you can use Plug.BasicAuth to set up some basic authentication
    # as long as you are also using SSL (which you should anyway).
    import Phoenix.LiveDashboard.Router

    scope "/dev" do
      pipe_through :browser

      live_dashboard "/dashboard", metrics: SsoBsnWeb.Telemetry
    end
  end

  ## Authentication routes

  scope "/", SsoBsnWeb do
    pipe_through [:browser, :redirect_if_user_is_authenticated]

    live_session :redirect_if_user_is_authenticated,
      on_mount: [{SsoBsnWeb.UserAuth, :redirect_if_user_is_authenticated}] do
      live "/users/register", UserRegistrationLive, :new
      live "/users/log_in", UserLoginLive, :new
    end

    get "/users/log_in/:token", UserSessionController, :login
  end

  scope "/", SsoBsnWeb do
    pipe_through [:browser, :require_authenticated_user]

    live_session :require_authenticated_user,
      on_mount: [{SsoBsnWeb.UserAuth, :ensure_authenticated}] do
      live "/users/settings", UserSettingsLive, :edit
    end
  end

  scope "/", SsoBsnWeb do
    pipe_through [:browser]

    delete "/users/log_out", UserSessionController, :delete
  end

  scope "/", SsoBsnWeb do
    pipe_through [:api, :fetch_session, :fetch_current_user]

    get "/whoami", UserSessionController, :check_auth
  end


  # OIDC
  scope "/oauth", SsoBsnWeb.Oauth do
    pipe_through :api

    post "/revoke", RevokeController, :revoke
    post "/token", TokenController, :token
    post "/introspect", IntrospectController, :introspect
  end


  scope "/openid", SsoBsnWeb.Openid do
    pipe_through :api

    get "/userinfo", UserinfoController, :userinfo
    post "/userinfo", UserinfoController, :userinfo
    get "/jwks", JwksController, :jwks_index
  end

  scope "/oauth", SsoBsnWeb.Oauth do
    pipe_through [:browser, :fetch_current_user]

    get "/authorize", AuthorizeController, :authorize
  end

  scope "/openid", SsoBsnWeb.Openid do
    pipe_through [:browser, :fetch_current_user]

    get "/authorize", AuthorizeController, :authorize
  end
  
  scope "/.well-known", SsoBsnWeb.Openid do
    pipe_through :api
    get "/openid-configuration", ConfigurationController, :config
  end
end