// Sign-out for the operator portal. Same shape as the customer portal's
// sign-out (apps/portal/server/api/auth/sign-out.get.ts) — ends BOTH the
// local nuxt-oidc-auth session AND the Authentik IdP session so the next
// person at the same browser must re-enter credentials. Required for
// shared-workstation safety; operator portal carries elevated privileges.
//
// Flow:
//   1. Read the id_token off the local session (needed as id_token_hint).
//   2. Clear the local session (cookie + persistent store).
//   3. 302 the BROWSER through Authentik's dezky-operator end-session URL
//      with post_logout_redirect_uri=/signed-out.
//
// The brief URL-bar flash to the Authentik host is unavoidable: that's the
// only host that can clear the Authentik session cookie (server-to-server
// invalidation alone leaves the browser cookie, which would let the next
// visit silently re-authorize).

import { getUserSession, clearUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'

// Environment-driven so one build serves dev (.local) and prod (.eu) — same
// pattern as the customer portal's sign-out.
const AUTH_URL = (process.env.NUXT_PUBLIC_AUTH_URL || 'https://auth.dezky.local').replace(/\/$/, '')
const OPERATOR_URL = (process.env.NUXT_PUBLIC_OPERATOR_URL || 'https://operator.dezky.local').replace(/\/$/, '')
const OIDC_APP_SLUG = process.env.OPERATOR_OIDC_APP_SLUG || 'dezky-operator'
const END_SESSION = `${AUTH_URL}/application/o/${OIDC_APP_SLUG}/end-session/`
const POST_LOGOUT_REDIRECT = `${OPERATOR_URL}/signed-out`

export default defineEventHandler(async (event) => {
  const session = await getUserSession(event).catch(() => ({} as any))
  const idToken: string | undefined = (session as any).idToken

  await clearUserSession(event).catch(() => {})

  const params = new URLSearchParams({
    post_logout_redirect_uri: POST_LOGOUT_REDIRECT,
    ...(idToken && { id_token_hint: idToken }),
  })

  return sendRedirect(event, `${END_SESSION}?${params.toString()}`, 302)
})