modcomms/frontend/services/authConfig.ts

/**
 * MSAL (Microsoft Authentication Library) configuration for Azure AD SSO.
 * Uses PKCE flow by default for SPA security.
 */
import { Configuration, LogLevel, PopupRequest } from '@azure/msal-browser';

// Client ID used for both MSAL config and API token requests
const CLIENT_ID = import.meta.env.VITE_AZURE_CLIENT_ID || '';

// MSAL configuration - uses PKCE by default for SPAs
export const msalConfig: Configuration = {
    auth: {
        clientId: CLIENT_ID,
        authority: `https://login.microsoftonline.com/${import.meta.env.VITE_AZURE_TENANT_ID || 'common'}`,
        redirectUri: import.meta.env.VITE_AZURE_REDIRECT_URI || window.location.origin + import.meta.env.BASE_URL,
        postLogoutRedirectUri: window.location.origin + import.meta.env.BASE_URL,
    },
    cache: {
        cacheLocation: 'localStorage', // Persists auth state across browser tabs/refresh
        storeAuthStateInCookie: false, // Not needed for modern browsers
    },
    system: {
        loggerOptions: {
            loggerCallback: (level, message, containsPii) => {
                if (containsPii) return;
                const prefix = '[MSAL]';
                switch (level) {
                    case LogLevel.Error:
                        console.error(prefix, message);
                        break;
                    case LogLevel.Warning:
                        console.warn(prefix, message);
                        break;
                    case LogLevel.Info:
                        console.info(prefix, message);
                        break;
                    case LogLevel.Verbose:
                        console.debug(prefix, message);
                        break;
                }
            },
            logLevel: LogLevel.Info, // Set to Info for debugging MSAL activity
        },
    },
};

// Scopes for initial login (ID token)
export const loginRequest: PopupRequest = {
    scopes: ['openid', 'profile', 'email'],
};

// Scopes for API calls - request token for OUR app, not Graph
// Using the client ID as scope requests an access token for this app
export const apiTokenRequest = {
    scopes: [`${CLIENT_ID}/.default`],
};