defmodule Mv.Secrets do
  @moduledoc """
  Secret provider for AshAuthentication.

  ## Purpose
  Provides runtime configuration secrets for Ash Authentication strategies,
  particularly for OIDC (Rauthy) authentication.

  ## Configuration Source
  Secrets are read via `Mv.Config` which prefers environment variables and
  falls back to Settings from the database:
  - OIDC_CLIENT_ID / settings.oidc_client_id
  - OIDC_CLIENT_SECRET / settings.oidc_client_secret
  - OIDC_BASE_URL / settings.oidc_base_url
  - OIDC_REDIRECT_URI / settings.oidc_redirect_uri

  ## Usage
  This module is automatically called by AshAuthentication when resolving
  secrets for the User resource's OIDC strategy.
  """
  use AshAuthentication.Secret

  def secret_for(
        [:authentication, :strategies, :oidc, :client_id],
        Mv.Accounts.User,
        _opts,
        _meth
      ) do
    {:ok, Mv.Config.oidc_client_id()}
  end

  def secret_for(
        [:authentication, :strategies, :oidc, :redirect_uri],
        Mv.Accounts.User,
        _opts,
        _meth
      ) do
    {:ok, Mv.Config.oidc_redirect_uri()}
  end

  def secret_for(
        [:authentication, :strategies, :oidc, :client_secret],
        Mv.Accounts.User,
        _opts,
        _meth
      ) do
    {:ok, Mv.Config.oidc_client_secret()}
  end

  def secret_for(
        [:authentication, :strategies, :oidc, :base_url],
        Mv.Accounts.User,
        _opts,
        _meth
      ) do
    {:ok, Mv.Config.oidc_base_url()}
  end
end