import { Module } from '@nestjs/common';
import { ConfigModule, ConfigService } from '@nestjs/config';
import { APP_GUARD } from '@nestjs/core';
import {
  AuthGuard,
  KeycloakConnectConfig,
  KeycloakConnectModule,
  ResourceGuard,
  RoleGuard,
  TokenValidation,
} from 'nest-keycloak-connect';
import { HttpModule } from '@nestjs/axios';
import { TerminusModule } from '@nestjs/terminus';

import keycloakConfig, { keycloakConfigValidationSchema } from './config/keycloak.config';
import { AuthModule } from './auth/auth.module';
import { ApiModule } from './api/api.module';
import { UsersModule } from './users/users.module';
import { StartupService } from './auth/services/startup.service';

@Module({
  imports: [
    // Configuration Module
    ConfigModule.forRoot({
      isGlobal: true,
      load: [keycloakConfig],
      validationSchema: keycloakConfigValidationSchema,
      validationOptions: {
        allowUnknown: false,
        abortEarly: true,
      },
    }),

    // Keycloak Connect Module (Async configuration)
    KeycloakConnectModule.registerAsync({
      imports: [ConfigModule],
      inject: [ConfigService],
      useFactory: (configService: ConfigService): KeycloakConnectConfig => {
        const keycloakConfig = configService.get('keycloak');
        
        return {
          authServerUrl: keycloakConfig.serverUrl,
          realm: keycloakConfig.realm,
          clientId: keycloakConfig.authClientId,
          secret: keycloakConfig.authClientSecret,
          useNestLogger: true,
          
          /**
           * Validation OFFLINE :
           * Le token JWT est validé localement (RS256 signature)
           * Aucun appel réseau vers Keycloak pour introspection.
           */
          tokenValidation: TokenValidation.OFFLINE,

          // Optional: Add more Keycloak options as needed
          // publicClient: false,
          // verifyTokenAudience: true,
          // confidentialPort: 0,
        };
      },
    }),

    // HTTP and Health Modules
    HttpModule.register({
      timeout: 5000,
      maxRedirects: 5,
    }),
    TerminusModule,

    // Feature Modules
    AuthModule,
    ApiModule,
    UsersModule,
        
  ],
  providers: [
    StartupService, 
    // Global Authentication Guard
    {
      provide: APP_GUARD,
      useClass: AuthGuard,
    },
    // Global Resource Guard
    {
      provide: APP_GUARD,
      useClass: ResourceGuard,
    },
    // Global Role Guard
    {
      provide: APP_GUARD,
      useClass: RoleGuard,
    },
  ],
})
export class AppModule {}