syntax = "proto3";

package memos.api.v1;

import "api/v1/user_service.proto";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/timestamp.proto";

option go_package = "gen/api/v1";

service AuthService {
  // GetCurrentUser returns the authenticated user's information.
  // Validates the access token and returns user details.
  // Similar to OIDC's /userinfo endpoint.
  rpc GetCurrentUser(GetCurrentUserRequest) returns (GetCurrentUserResponse) {
    option (google.api.http) = {get: "/api/v1/auth/me"};
  }

  // SignIn authenticates a user with credentials and returns tokens.
  // On success, returns an access token and sets a refresh token cookie.
  // Supports password-based and SSO authentication methods.
  rpc SignIn(SignInRequest) returns (SignInResponse) {
    option (google.api.http) = {
      post: "/api/v1/auth/signin"
      body: "*"
    };
  }

  // SignOut terminates the user's authentication.
  // Revokes the refresh token and clears the authentication cookie.
  rpc SignOut(SignOutRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {post: "/api/v1/auth/signout"};
  }

  // RefreshToken exchanges a valid refresh token for a new access token.
  // The refresh token is read from the HttpOnly cookie.
  // Returns a new short-lived access token.
  rpc RefreshToken(RefreshTokenRequest) returns (RefreshTokenResponse) {
    option (google.api.http) = {
      post: "/api/v1/auth/refresh"
      body: "*"
    };
  }
}

message GetCurrentUserRequest {}

message GetCurrentUserResponse {
  // The authenticated user's information.
  User user = 1;
}

message SignInRequest {
  // Nested message for password-based authentication credentials.
  message PasswordCredentials {
    // The username to sign in with.
    string username = 1 [(google.api.field_behavior) = REQUIRED];

    // The password to sign in with.
    string password = 2 [(google.api.field_behavior) = REQUIRED];
  }

  // Nested message for SSO authentication credentials.
  message SSOCredentials {
    // The ID of the SSO provider.
    int32 idp_id = 1 [(google.api.field_behavior) = REQUIRED];

    // The authorization code from the SSO provider.
    string code = 2 [(google.api.field_behavior) = REQUIRED];

    // The redirect URI used in the SSO flow.
    string redirect_uri = 3 [(google.api.field_behavior) = REQUIRED];

    // The PKCE code verifier for enhanced security (RFC 7636).
    // Optional - enables PKCE flow protection against authorization code interception.
    string code_verifier = 4 [(google.api.field_behavior) = OPTIONAL];
  }

  // Authentication credentials. Provide one method.
  oneof credentials {
    // Username and password authentication.
    PasswordCredentials password_credentials = 1;

    // SSO provider authentication.
    SSOCredentials sso_credentials = 2;
  }
}

message SignInResponse {
  // The authenticated user's information.
  User user = 1;

  // The short-lived access token for API requests.
  // Store in memory only, not in localStorage.
  string access_token = 2;

  // When the access token expires.
  // Client should call RefreshToken before this time.
  google.protobuf.Timestamp access_token_expires_at = 3;
}

message SignOutRequest {}

message RefreshTokenRequest {}

message RefreshTokenResponse {
  // The new short-lived access token.
  string access_token = 1;

  // When the access token expires.
  google.protobuf.Timestamp expires_at = 2;
}