// Central claim mapper: a Saltcorn user -> OIDC claims, gated by granted scopes.
// This is the single place identity is rendered for relying parties; the LDAP
// and SAML renderers in later phases reuse the same group/identity source.

const groups = require("./groups");


const oidcClaims = async (user, sub, grantedScopes) => {
    const scopes = String(grantedScopes || "").split(" ").filter(Boolean);
    const out = { sub: sub };
    if (scopes.includes("email")) {
        out.email = user.email;
        out.email_verified = !!user.verified_on;
    }
    if (scopes.includes("profile")) {
        out.name = (user._attributes && user._attributes.name) || user.email;
    }
    if (scopes.includes("groups")) {
        out.groups = await groups.effectiveGroups(user);
    }
    return out;
};


// SAML AttributeStatement values for a user: email + groups. Groups is the
// effective-groups ARRAY (one <saml:AttributeValue> per element is emitted by
// the renderer, matching the OIDC/LDAP array form). Reuses the same
// effectiveGroups source as OIDC.
const samlAttributes = async (user) => {
    const effective = await groups.effectiveGroups(user);
    return {
        email:  user.email,
        groups: effective
    };
};


module.exports = {
    oidcClaims,
    samlAttributes
};