// Nuxt 3 configuration for Dezky portal
// https://nuxt.com/docs/api/configuration/nuxt-config

export default defineNuxtConfig({
  compatibilityDate: '2026-01-01',
  devtools: { enabled: true },

  modules: ['nuxt-oidc-auth'],

  css: ['~/assets/styles/tokens.css', '~/assets/styles/base.css'],

  app: {
    head: {
      link: [
        { rel: 'preconnect', href: 'https://fonts.googleapis.com' },
        { rel: 'preconnect', href: 'https://fonts.gstatic.com', crossorigin: '' },
        {
          rel: 'stylesheet',
          href: 'https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Inter+Tight:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600;700&display=swap',
        },
      ],
    },
  },

  runtimeConfig: {
    mongodbUri: process.env.MONGODB_URI,
    apiBase: process.env.NUXT_API_BASE,
    public: {
      authUrl: process.env.NUXT_PUBLIC_AUTH_URL,
      portalUrl: process.env.NUXT_PUBLIC_PORTAL_URL,
    },
  },

  oidc: {
    defaultProvider: 'oidc',
    session: {
      expirationCheck: true,
      automaticRefresh: true,
    },
    middleware: {
      globalMiddlewareEnabled: true,
      customLoginPage: true,
    },
    providers: {
      // Generic OIDC against our Authentik instance (provider preset key MUST be one of
      // apple, auth0, cognito, entra, github, keycloak, logto, microsoft, oidc, paypal, zitadel).
      oidc: {
        clientId: process.env.NUXT_OIDC_CLIENT_ID || '',
        clientSecret: process.env.NUXT_OIDC_CLIENT_SECRET || '',
        redirectUri: process.env.NUXT_OIDC_REDIRECT_URI || '',
        authorizationUrl: 'https://auth.dezky.local/application/o/authorize/',
        tokenUrl: 'https://auth.dezky.local/application/o/token/',
        userInfoUrl: 'https://auth.dezky.local/application/o/userinfo/',
        logoutUrl: 'https://auth.dezky.local/application/o/dezky-portal/end-session/',
        // Discovery URL — used by id_token validation to fetch JWKS + issuer
        openIdConfiguration:
          'https://auth.dezky.local/application/o/dezky-portal/.well-known/openid-configuration',
        scope: ['openid', 'profile', 'email', 'groups'],
        userNameClaim: 'preferred_username',
        responseType: 'code',
        grantType: 'authorization_code',
        pkce: true,
        // Authentik's access tokens aren't always parseable as JWT — skip strict parsing
        skipAccessTokenParsing: true,
        // Expose access token in the server-side session so Nitro route handlers can
        // forward it to provisioning. Token never reaches the browser.
        exposeAccessToken: true,
      },
    },
  },

  vite: {
    server: {
      hmr: {
        protocol: 'wss',
        clientPort: 443,
      },
    },
  },

  nitro: {
    routeRules: {
      '/api/**': { cors: true },
    },
  },
})