import { ZitadelAuth } from "@kuns/zitadel-auth";

// Bootstrap-gate auth BEFORE the app mounts (mirrors the working krypto-kuns pattern):
// Nuxt awaits async plugins before mounting, so we await init() and, if unauthenticated,
// redirect to Zitadel and hold the mount — the app never renders (and never calls the API)
// while unauthenticated. This avoids the router-guard mount race that produced a 401 flash.
export default defineNuxtPlugin(async () => {
  const cfg = useRuntimeConfig().public;
  const scopes = ["openid", "profile", "email"];
  if (cfg.zitadelProjectId) {
    // Put the project id into the access token's `aud` for backend validation.
    scopes.push(`urn:zitadel:iam:org:project:id:${cfg.zitadelProjectId}:aud`);
  }

  const auth = new ZitadelAuth({
    clientId: cfg.zitadelClientId as string,
    issuer: cfg.zitadelIssuer as string,
    scopes,
    // Bootstrap gate issues at most one redirect per load, so a real loop never happens;
    // raise the loop-guard ceiling so repeated manual reloads can't strand the user.
    maxRedirects: 100,
  });

  const onCallback = window.location.pathname.endsWith("/auth/callback");
  await auth.init();

  if (!auth.isAuthenticated && !onCallback) {
    auth.login();
    // Hold the mount while the browser navigates to the Zitadel login.
    await new Promise(() => {});
  }

  return { provide: { auth } };
});