/**
 * Composable para leer información de usuario de Authentik
 * Los headers son inyectados por Authentik Proxy Outpost
 */

interface AuthentikUser {
  username: string
  email: string | undefined
  name: string | undefined
  groups: string[]
  uid: string | undefined
  avatar: string
}

export const useAuthentik = () => {
  const authentikUser = useState<AuthentikUser | null>('authentikUser', () => {
    if (import.meta.server) {
      const headers = useRequestHeaders()

      const username = headers['x-authentik-username']
      const email = headers['x-authentik-email']
      const name = headers['x-authentik-name']
      const groups = headers['x-authentik-groups']
      const uid = headers['x-authentik-uid']

      if (!username) {
        return null
      }

      return {
        username,
        email,
        name,
        groups: groups ? groups.split('|').filter(g => g.trim()) : [],
        uid,
        avatar: `https://ui-avatars.com/api/?name=${encodeURIComponent(name || username)}&background=075e54&color=fff&size=128`
      }
    }

    return null
  })

  const user = computed(() => authentikUser.value)
  const isAuthenticated = computed(() => !!user.value)

  const logout = () => {
    const authentikUrl = useRuntimeConfig().public.authentikUrl || 'https://authentik.nucleoriofrio.com'
    navigateTo(`${authentikUrl}/flows/-/default/invalidation/`, { external: true })
  }

  const goToProfile = () => {
    const authentikUrl = useRuntimeConfig().public.authentikUrl || 'https://authentik.nucleoriofrio.com'
    navigateTo(`${authentikUrl}/if/user/`, { external: true, open: { target: '_blank' } })
  }

  const hasGroup = (groupName: string): boolean => {
    if (!user.value) return false
    return user.value.groups.includes(groupName)
  }

  return {
    user,
    isAuthenticated,
    logout,
    goToProfile,
    hasGroup
  }
}