// OIDC discovery document + issuer derivation.
//
// The issuer MUST exactly equal the URL prefix a relying party used to fetch
// /.well-known/openid-configuration. We prefer the tenant's configured base_url
// (the trustworthy source); otherwise we fall back to the request scheme+host.
//
// SECURITY: the request-host fallback is vulnerable to Host-header injection
// (an attacker forging Host could poison the advertised issuer/endpoints).
// base_url should be set in any multi-tenant or proxied deployment; the
// fallback exists for single-tenant localhost/dev. This is revisited in the
// multi-tenancy phase (validate host against the tenant's known domains).

const constants = require("../constants");


const issuerForReq = (req) => {
    let base = "";
    try {
        const { getState } = require("@saltcorn/data/db/state");
        const configured = getState().getConfig("base_url", "");
        if (configured) {
            base = configured;
        }
    } catch (e) {
        // getState unavailable; fall back to request-derived host
    }
    if (!base) {
        base = req.protocol + "://" + req.get("host");
        // eslint-disable-next-line no-console
        console.warn(`[${constants.PLUGIN_NAME}] base_url not set; deriving issuer from request Host (${base}). Set base_url to prevent Host-header issuer poisoning.`);
    }
    base = base.replace(/\/+$/, "");
    return base + constants.IDP_BASE_PATH;
};


// NOTE: the discovery document and JWKS are now generated and served by
// oidc-provider itself (see oidc/provider.js + oidc/routes.js); we only keep the
// issuer derivation here, which feeds the Provider's issuer.

module.exports = {
    issuerForReq
};