// Nuxt 3 configuration for the Dezky operator portal.
// Separate app from apps/portal — different OAuth client, different cookies,
// different domain, stricter authorization. See docs/OPERATOR-PLAN.md.

export default defineNuxtConfig({
  compatibilityDate: '2026-01-01',
  devtools: { enabled: true },

  modules: ['nuxt-oidc-auth'],

  css: ['~/assets/styles/tokens.css', '~/assets/styles/base.css'],

  app: {
    head: {
      htmlAttrs: { 'data-theme': 'dark' },
      link: [
        { rel: 'preconnect', href: 'https://fonts.googleapis.com' },
        { rel: 'preconnect', href: 'https://fonts.gstatic.com', crossorigin: '' },
        {
          rel: 'stylesheet',
          href: 'https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Inter+Tight:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600;700&display=swap',
        },
      ],
    },
  },

  oidc: {
    defaultProvider: 'oidc',
    session: {
      expirationCheck: true,
      automaticRefresh: true,
    },
    middleware: {
      globalMiddlewareEnabled: true,
      customLoginPage: true,
    },
    providers: {
      // Generic OIDC against the dezky-operator Authentik client. Same shape
      // as the customer portal's config but pointed at a different provider
      // and a different audience.
      oidc: {
        clientId: process.env.NUXT_OIDC_CLIENT_ID || '',
        clientSecret: process.env.NUXT_OIDC_CLIENT_SECRET || '',
        redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || '',
        authorizationUrl: 'https://auth.dezky.local/application/o/authorize/',
        tokenUrl: 'https://auth.dezky.local/application/o/token/',
        userInfoUrl: 'https://auth.dezky.local/application/o/userinfo/',
        logoutUrl: 'https://auth.dezky.local/application/o/dezky-operator/end-session/',
        openIdConfiguration:
          'https://auth.dezky.local/application/o/dezky-operator/.well-known/openid-configuration',
        scope: ['openid', 'profile', 'email', 'groups'],
        userNameClaim: 'preferred_username',
        responseType: 'code',
        grantType: 'authorization_code',
        pkce: true,
        skipAccessTokenParsing: true,
        exposeAccessToken: true,
      },
    },
  },

  vite: {
    server: {
      // Vite 7 added a strict host check; allow Traefik-fronted hostnames in dev
      allowedHosts: ['operator.dezky.local'],
      hmr: {
        protocol: 'wss',
        clientPort: 443,
      },
    },
  },

  nitro: {
    routeRules: {
      '/api/**': { cors: true },
    },
  },
})