using Azure.Identity;
using Microsoft.Graph;

namespace Management.Services;

/// <summary>
/// Wraps a Microsoft.Graph client authenticated with app-only (client credentials)
/// credentials against the org tenant.
///
/// Registered as a singleton in Program.cs — one GraphServiceClient per process.
/// </summary>
public sealed class GraphService
{
    private readonly GraphServiceClient _client;
    private readonly ILogger<GraphService> _log;

    public GraphService(IConfiguration config, ILogger<GraphService> log)
    {
        _log = log;

        var tenantId     = config["Graph:TenantId"]     ?? "";
        var clientId     = config["Graph:ClientId"]     ?? "";
        var clientSecret = config["Graph:ClientSecret"] ?? "";

        if (string.IsNullOrWhiteSpace(tenantId) || string.IsNullOrWhiteSpace(clientId) || string.IsNullOrWhiteSpace(clientSecret))
        {
            _log.LogWarning("[Graph] One or more Graph config values are missing (TenantId, ClientId, ClientSecret). " +
                            "GET /api/admin/access/users will return an error until these are set.");
        }

        var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
        _client = new GraphServiceClient(credential, ["https://graph.microsoft.com/.default"]);
    }

    public GraphServiceClient Client => _client;
}