import { SSOConfig, SSOUserData } from '../types/auth.types';

// Use getter functions to read from process.env dynamically
// This ensures values are read after secrets are loaded from Google Secret Manager
const ssoConfig: SSOConfig = {
  get jwtSecret() { return process.env.JWT_SECRET || ''; },
  get jwtExpiry() { return process.env.JWT_EXPIRY || '24h'; },
  get refreshTokenExpiry() { return process.env.REFRESH_TOKEN_EXPIRY || '7d'; },
  get sessionSecret() { return process.env.SESSION_SECRET || ''; },
  // Use only FRONTEND_URL from environment - no fallbacks
  get allowedOrigins() {
    return process.env.FRONTEND_URL?.split(',').map(s => s.trim()).filter(Boolean) || [];
  },
  // Okta/Auth0 configuration for token exchange
  get oktaDomain() { return process.env.OKTA_DOMAIN || '{{IDP_DOMAIN}}'; },
  get oktaClientId() { return process.env.OKTA_CLIENT_ID || ''; },
  get oktaClientSecret() { return process.env.OKTA_CLIENT_SECRET || ''; },
  get oktaApiToken() { return process.env.OKTA_API_TOKEN || ''; }, // SSWS token for Users API
  // Tanflow configuration for token exchange
  get tanflowBaseUrl() { return process.env.TANFLOW_BASE_URL || '{{IDP_DOMAIN}}/realms/RE'; },
  get tanflowClientId() { return process.env.TANFLOW_CLIENT_ID || 'REFLOW'; },
  get tanflowClientSecret() { return process.env.TANFLOW_CLIENT_SECRET || '{{TANFLOW_CLIENT_SECRET}}'; },
};

export { ssoConfig };
export type { SSOUserData };