defmodule SsoBsnWeb.ResourceOwners do
	@behaviour Boruta.Oauth.ResourceOwners

	alias Boruta.Oauth.ResourceOwner
	alias SsoBsn.Accounts.User
	alias SsoBsn.Accounts

	@impl Boruta.Oauth.ResourceOwners
	def get_by(username: username) do
	  with %User{ id: id, username: username, last_login_at: last_login_at } <- Accounts.get_user_by_username(username) do
	    {:ok, %ResourceOwner{sub: to_string(id), username: username, last_login_at: last_login_at}}
	  else
	    _ -> {:error, "User not found."}
	  end
	end

	def get_by(sub: sub) do
	  with %User{id: id, username: username, last_login_at: last_login_at} <- Accounts.get_user(sub) do
	    {:ok, %ResourceOwner{sub: to_string(id), username: username, last_login_at: last_login_at}}
	  else
	    _ -> {:error, "User not found."}
	  end
	end

	@impl Boruta.Oauth.ResourceOwners
	def check_password(_resource_owner, _password) do
		raise """
			Password auth is not supported
		"""
	end

	@impl Boruta.Oauth.ResourceOwners
	def authorized_scopes(%ResourceOwner{}), do: ["openid", "email", "profile"] |> Enum.map(&%{name: &1, id: &1})


	@impl Boruta.Oauth.ResourceOwners
	def claims(resource_owner, _scope), do: %{
		username: resource_owner.username,
		email: "#{resource_owner.username}@#{Application.get_env(:sso_bsn, :session_domain)}"
	}
end