import NextAuth from "next-auth";
import Keycloak from "next-auth/providers/keycloak";

export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    Keycloak({
      clientId: process.env.KEYCLOAK_CLIENT_ID!,
      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET!,
      issuer: process.env.KEYCLOAK_ISSUER!,
    }),
  ],
  callbacks: {
    authorized({ auth }) {
      return !!auth;
    },
    jwt({ token, account }) {
      if (account) {
        // providerAccountId = Keycloak sub UUID, guaranteed on every login
        token.keycloakId = account.providerAccountId;
        token.accessToken = account.access_token;
        token.idToken = account.id_token;
      }
      return token;
    },
    session({ session, token }) {
      session.user.id = (token.keycloakId ?? token.sub) as string;
      session.idToken = token.idToken as string | undefined;
      return session;
    },
  },
  pages: {
    signIn: "/login",
  },
});