namespace Gateway.Security;

/// <summary>
/// Holds authenticated client information for the current request.
/// Populated by ClientAuthMiddleware.
/// </summary>
public sealed class ClientContext
{
    /// <summary>
    /// Session ID from session-based auth.
    /// </summary>
    public string? SessionId { get; set; }

    /// <summary>
    /// The authenticated client ID (from session, JWT sub claim, or dev header).
    /// This identifies the client/organization in our platform.
    /// </summary>
    public string? ClientId { get; set; }

    /// <summary>
    /// Optional tenant ID for the ad platform (e.g., Google Ads customer ID).
    /// May be derived from ClientId mapping or passed in request.
    /// </summary>
    public string? TenantId { get; set; }

    /// <summary>
    /// Display name from token or session (if available).
    /// </summary>
    public string? ClientName { get; set; }

    /// <summary>
    /// User ID from session (if using session auth).
    /// </summary>
    public string? UserId { get; set; }

    /// <summary>
    /// Email from token or session (if available).
    /// </summary>
    public string? Email { get; set; }

    /// <summary>
    /// User role from session (admin, user, readonly).
    /// </summary>
    public string? Role { get; set; }

    /// <summary>
    /// Whether this request was authenticated via dev bypass (vs real auth).
    /// </summary>
    public bool IsDevBypass { get; set; }

    /// <summary>
    /// The authentication provider used (microsoft, google, etc.)
    /// </summary>
    public string? AuthProvider { get; set; }

    /// <summary>
    /// True if we have a valid ClientId.
    /// </summary>
    public bool IsAuthenticated => !string.IsNullOrWhiteSpace(ClientId);
}