defmodule Mv.Accounts.User do
  use Ash.Resource,
    domain: Mv.Accounts,
    data_layer: AshPostgres.DataLayer,
    extensions: [AshAuthentication]

  # authorizers: [Ash.Policy.Authorizer]

  postgres do
    table "users"
    repo Mv.Repo
  end

  authentication do
    tokens do
      enabled? true
      token_resource Mv.Accounts.Token
      signing_secret fn _, _ ->
        {:ok, Application.get_env(:mv, :token_signing_secret)}
      end
    end

    strategies do
      oidc :rauthy do
          client_id "mv"
          base_url "http://localhost:8080/auth/v1"
          redirect_uri "http://localhost:4000/auth/user/rauthy/callback"
          auth_method :client_secret_jwt
          #id_token_signed_response_alg "EdDSA"
          #user_url "http://localhost:8080/auth/v1/oidc/userinfo"
          #token_url "http://localhost:8080/auth/v1/oidc/token"
          #authorize_url "http://localhost:8080/auth/v1/oidc/authorize"
          registration_enabled? false
          code_verifier true
          client_secret fn _, _ ->
            Application.fetch_env(:mv, :oicd_client_secret)
        end
      end

      password :password do
        identity_field :email
        hash_provider AshAuthentication.BcryptProvider
        confirmation_required? false
      end
    end
  end

  actions do
    defaults [:read, :create, :destroy, :update]

    read :get_by_subject do
      description "Get a user by the subject claim in a JWT"
      argument :subject, :string, allow_nil?: false
      get? true
      prepare AshAuthentication.Preparations.FilterBySubject
    end

    read :sign_in_with_rauthy do
      argument :user_info, :map, allow_nil?: false
      argument :oauth_tokens, :map, allow_nil?: false
      prepare AshAuthentication.Strategy.OAuth2.SignInPreparation

      filter expr(email == get_path(^arg(:user_info), [:email]))
    end
  end

  ## TODO: registration ergänzen, seed rausnehmen, oidc_id aus user_info map holen

  attributes do
    uuid_primary_key :id

    attribute :email, :ci_string, allow_nil?: false, public?: true
    attribute :hashed_password, :string, sensitive?: true, allow_nil?: true
    attribute :oidc_id, :string, allow_nil?: true
  end

  relationships do
    belongs_to :member, Mv.Membership.Member
  end

  identities do
    identity :unique_email, [:email]
    identity :unique_oidc_id, [:oidc_id]
  end

  # You can customize this if you wish, but this is a safe default that
  # only allows user data to be interacted with via AshAuthentication.
  # policies do
  #   bypass AshAuthentication.Checks.AshAuthenticationInteraction do
  #     authorize_if(always())
  #   end

  #   policy always() do
  #     forbid_if(always())
  #   end
  # end
end