import { useZitadelAuth } from "@kuns/zitadel-auth/vue";

// Wire the framework-agnostic Zitadel OIDC client to Nuxt's router (client-only SPA).
// Provides `$auth` (reactive state + login/logout/fetch). The adapter installs a
// router guard that redirects unauthenticated users to the Zitadel hosted login.
export default defineNuxtPlugin(() => {
  const cfg = useRuntimeConfig().public;
  const scopes = ["openid", "profile", "email"];
  if (cfg.zitadelProjectId) {
    // Force the project id into the access token's `aud` for backend validation.
    scopes.push(`urn:zitadel:iam:org:project:id:${cfg.zitadelProjectId}:aud`);
  }
  const auth = useZitadelAuth(useRouter() as never, {
    clientId: cfg.zitadelClientId as string,
    issuer: cfg.zitadelIssuer as string,
    scopes,
  });
  return { provide: { auth } };
});