/**
 * Logout handler — clears server cookie and MSAL session, then redirects.
 *
 * MSAL.js is loaded by base.html so the popup can also sign the user out
 * of Microsoft for this app — otherwise sessionStorage would silently
 * re-authenticate on the next page load.
 */
(function () {
    const logoutBtn = document.getElementById('logoutBtn');
    if (!logoutBtn) return;

    // Match the redirect URI registered in Entra (always one trailing slash).
    const redirectUri =
        window.location.origin +
        (window.BASE_URL || '').replace(/\/$/, '') + '/';

    let msalApp = null;
    try {
        if (typeof msal !== 'undefined' && window.AZURE_TENANT_ID && window.AZURE_CLIENT_ID) {
            msalApp = new msal.PublicClientApplication({
                auth: {
                    clientId: window.AZURE_CLIENT_ID,
                    authority: 'https://login.microsoftonline.com/' + window.AZURE_TENANT_ID,
                    redirectUri: redirectUri
                },
                cache: {
                    cacheLocation: 'sessionStorage',
                    storeAuthStateInCookie: true
                }
            });
        }
    } catch (e) {
        console.warn('MSAL init failed in auth.js:', e);
    }

    logoutBtn.addEventListener('click', async () => {
        try {
            await fetch(window.BASE_URL + '/auth/logout', {
                method: 'POST',
                credentials: 'include'
            });
        } catch (e) { /* ignore */ }

        if (msalApp) {
            try {
                await msalApp.logoutPopup({
                    postLogoutRedirectUri: redirectUri
                });
            } catch (e) { /* ignore */ }
        }

        window.location.href = window.BASE_URL + '/auth/login-page';
    });
})();