using System.Security.Claims;
using System.Text.Encodings.Web;
using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;

namespace StellaOps.Scanner.WebService.Security;

/// <summary>
/// Authentication handler for anonymous/development mode that creates
/// a synthetic user identity for testing and local development.
/// </summary>
internal sealed class AnonymousAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
    public AnonymousAuthenticationHandler(
        IOptionsMonitor<AuthenticationSchemeOptions> options,
        ILoggerFactory logger,
        UrlEncoder encoder)
        : base(options, logger, encoder)
    {
    }

    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
    {
        // Create identity with standard claims that endpoints may require
        var claims = new[]
        {
            new Claim(ClaimTypes.NameIdentifier, "anonymous-user"),
            new Claim(ClaimTypes.Name, "Anonymous User"),
            new Claim(ClaimTypes.Email, "anonymous@localhost"),
            new Claim("sub", "anonymous-user"),
        };

        var identity = new ClaimsIdentity(claims, authenticationType: Scheme.Name);
        var principal = new ClaimsPrincipal(identity);
        var ticket = new AuthenticationTicket(principal, Scheme.Name);
        return Task.FromResult(AuthenticateResult.Success(ticket));
    }
}