using ROLAC.API.DTOs.Permissions;

namespace ROLAC.API.DTOs.Auth;

public class LoginResponse
{
    /// <summary>Short-lived JWT (15 min). Store in memory — never in localStorage.</summary>
    public string AccessToken { get; set; } = null!;

    /// <summary>Seconds until the access token expires. Always 900 (15 × 60).</summary>
    public int ExpiresIn { get; set; }

    public UserInfo User { get; set; } = null!;
}

public class UserInfo
{
    public string Id                 { get; set; } = null!;
    public string Email              { get; set; } = null!;
    public IList<string> Roles       { get; set; } = [];
    public string LanguagePreference { get; set; } = "en";

    /// <summary>
    /// Effective permissions (union across the user's roles), keyed by module name.
    /// Lets the SPA hide nav/buttons. Authoritative enforcement is server-side.
    /// </summary>
    public Dictionary<string, ModuleActions> Permissions { get; set; } = [];

    /// <summary>
    /// The church member linked to this login account, or null for admin-only
    /// accounts (no MemberId) and accounts whose member record was deleted.
    /// Lets the SPA greet the user by their real name.
    /// </summary>
    public MemberInfo? MemberInfo { get; set; }
}

/// <summary>Minimal member identity for greeting the signed-in user.</summary>
public class MemberInfo
{
    public int     Id           { get; set; }
    public string? NickName     { get; set; }
    public string  FirstName_en { get; set; } = "";
    public string  LastName_en  { get; set; } = "";
    public string? FirstName_zh { get; set; }
    public string? LastName_zh  { get; set; }
}