import type { User, AuthResult } from './entities';

/**
 * Repository interface that the data layer must implement
 * Following clean architecture principles - domain defines the contract
 */
export interface IAuthRepository {
  // F.ID.004: DPoP initialization
  initializeDPoP(): Promise<string>;
  
  // F.ID.001: Login flows
  exchangeCredentialsForToken(creds: Credentials, pubKey: string): Promise<UserSession>;
  
  // F.ID.002: Verification flows
  sendOTPVerification(phoneNumber: string): Promise<void>;
  verifyOTP(phoneNumber: string, code: string): Promise<boolean>;
  sendEmailVerification(email: string): Promise<void>;
  verifyEmail(email: string, token: string): Promise<boolean>;
  
  // Magic Links (F.ID.006 - Enhanced security)
  generateMagicLink(email: string): Promise<string>;
  verifyMagicLink(token: string, nonce: string): Promise<UserSession>;
  
  // F.ID.007: Federated login
  authenticateWithProvider(provider: 'google' | 'apple', token: string): Promise<UserSession>;
  
  // Session management
  storeSession(session: UserSession): Promise<void>;
  getSession(): Promise<UserSession | null>;
  refreshSession(refreshToken: string): Promise<UserSession>;
  revokeSession(): Promise<void>;
  
  // F.ID.005: Remember me functionality
  enableRememberMe(duration: number): Promise<void>;
  disableRememberMe(): Promise<void>;
}

/**
 * Trust/Risk assessment interface
 */
export interface ITrustRepository {
  calculateRiskScore(): Promise<{ score: number; signals: Record<string, any> }>;
  performDeviceAttestation(): Promise<boolean>;
}

export interface Credentials {
  identifier: string; // email or phone
  password?: string;
  biometricSignature?: string;
  deviceId: string;
}

export interface UserSession {
  userId: string;
  accessToken: string;
  refreshToken: string;
  expiresAt: string;
  user: User;
  riskScore?: number;
  requiresStepUp?: boolean;
}

export interface BiometricConfig {
  enabled: boolean;
  fallbackToPassword: boolean;
  promptMessage: string;
}

export interface AuthConfig {
  requireEmailVerification: boolean;
  requirePhoneVerification: boolean;
  biometrics: BiometricConfig;
  rememberMeDays: number;
  maxLoginAttempts: number;
  lockoutDurationMinutes: number;
}