namespace Gateway.Security;

/// <summary>
/// Holds authenticated identity information for the current request.
/// Populated by MultiProviderAuthMiddleware.
/// </summary>
public sealed class ClientContext
{
    public string? SessionId      { get; set; }
    public string? ClientId       { get; set; }   // OID (JWT) or platform client ID (session)
    public string? TenantId       { get; set; }
    public string? ClientName     { get; set; }
    public string? ClientCategory { get; set; }
    public string? UserId         { get; set; }
    public string? Email          { get; set; }
    public string? Role           { get; set; }
    public bool    IsDevBypass    { get; set; }
    public string? AuthProvider   { get; set; }

    /// <summary>
    /// Raw Entra Object ID (oid claim) — always set for Microsoft tokens.
    /// Used for identity and activity logging. Distinct from ClientId which may fall
    /// back to sub for tokens where oid isn't surfaced as a named claim.
    /// </summary>
    public string? EntraOid { get; set; }

    /// <summary>
    /// True when the token was issued by the standard Entra (staff) tenant.
    /// </summary>
    public bool IsStaff { get; set; }

    /// <summary>True if we have a valid ClientId.</summary>
    public bool IsAuthenticated => !string.IsNullOrWhiteSpace(ClientId);

    /// <summary>True if this is an admin session (IsStaff + Role set).</summary>
    public bool IsAdmin => IsStaff && !string.IsNullOrWhiteSpace(Role);
}