/**
 * MSAL (Microsoft Authentication Library) configuration for Azure AD SSO.
 * Uses PKCE flow by default for SPA security.
 */
import { Configuration, LogLevel, PopupRequest } from '@azure/msal-browser';

// MSAL configuration - uses PKCE by default for SPAs
export const msalConfig: Configuration = {
    auth: {
        clientId: import.meta.env.VITE_AZURE_CLIENT_ID || '',
        authority: `https://login.microsoftonline.com/${import.meta.env.VITE_AZURE_TENANT_ID || 'common'}`,
        redirectUri: import.meta.env.VITE_AZURE_REDIRECT_URI || window.location.origin,
        postLogoutRedirectUri: window.location.origin,
    },
    cache: {
        cacheLocation: 'localStorage', // Persists auth state across browser tabs/refresh
        storeAuthStateInCookie: false, // Not needed for modern browsers
    },
    system: {
        loggerOptions: {
            loggerCallback: (level, message, containsPii) => {
                if (containsPii) return;
                switch (level) {
                    case LogLevel.Error:
                        console.error(message);
                        break;
                    case LogLevel.Warning:
                        console.warn(message);
                        break;
                    case LogLevel.Info:
                        console.info(message);
                        break;
                    case LogLevel.Verbose:
                        console.debug(message);
                        break;
                }
            },
            logLevel: LogLevel.Warning,
        },
    },
};

// Scopes for the access token
// Using .default for single-tenant apps to get all configured API permissions
export const loginRequest: PopupRequest = {
    scopes: [`api://${import.meta.env.VITE_AZURE_CLIENT_ID || ''}/.default`],
};

// Scopes for API calls (same as login for this app)
export const apiTokenRequest = {
    scopes: [`api://${import.meta.env.VITE_AZURE_CLIENT_ID || ''}/.default`],
};