syntax = "proto3";

package memos.api.v1;

import "api/v1/user_service.proto";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/empty.proto";

option go_package = "gen/api/v1";

service AuthService {
  // GetAuthStatus returns the current authentication status of the user.
  // This method is idempotent and safe, suitable for checking authentication state.
  rpc GetAuthStatus(GetAuthStatusRequest) returns (User) {
    option (google.api.http) = {get: "/api/v1/auth/status"};
  }

  // CreateSession authenticates a user and creates a new session.
  // Returns the authenticated user information upon successful authentication.
  rpc CreateSession(CreateSessionRequest) returns (User) {
    option (google.api.http) = {
      post: "/api/v1/auth/sessions"
      body: "*"
    };
  }

  // RegisterUser creates a new user account with username and password.
  // Returns the newly created user information upon successful registration.
  rpc RegisterUser(RegisterUserRequest) returns (User) {
    option (google.api.http) = {
      post: "/api/v1/auth/users"
      body: "*"
    };
  }

  // DeleteSession terminates the current user session.
  // This is an idempotent operation that invalidates the user's authentication.
  rpc DeleteSession(DeleteSessionRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {delete: "/api/v1/auth/sessions/current"};
  }
}

message GetAuthStatusRequest {}

message GetAuthStatusResponse {
  User user = 1;
}

message CreateSessionRequest {
  // Provide one authentication method (username/password or SSO).
  // Required field to specify the authentication method.
  oneof method {
    // Username and password authentication method.
    PasswordCredentials password_credentials = 1;

    // SSO provider authentication method.
    SSOCredentials sso_credentials = 2;
  }

  // Whether the session should never expire.
  // Optional field that defaults to false for security.
  bool never_expire = 3 [(google.api.field_behavior) = OPTIONAL];
}

message PasswordCredentials {
  // The username to sign in with.
  // Required field for password-based authentication.
  string username = 1 [(google.api.field_behavior) = REQUIRED];

  // The password to sign in with.
  // Required field for password-based authentication.
  string password = 2 [(google.api.field_behavior) = REQUIRED];
}

message SSOCredentials {
  // The ID of the SSO provider.
  // Required field to identify the SSO provider.
  int32 idp_id = 1 [(google.api.field_behavior) = REQUIRED];

  // The authorization code from the SSO provider.
  // Required field for completing the SSO flow.
  string code = 2 [(google.api.field_behavior) = REQUIRED];

  // The redirect URI used in the SSO flow.
  // Required field for security validation.
  string redirect_uri = 3 [(google.api.field_behavior) = REQUIRED];
}

message RegisterUserRequest {
  // The username to sign up with.
  // Required field that must be unique across the system.
  string username = 1 [(google.api.field_behavior) = REQUIRED];

  // The password to sign up with.
  // Required field that should meet security requirements.
  string password = 2 [(google.api.field_behavior) = REQUIRED];
}

message DeleteSessionRequest {}