import NextAuth, { NextAuthOptions } from "next-auth";
import KeycloakProvider from "next-auth/providers/keycloak";

// Simple, minimal implementation - NO REFRESH TOKEN LOGIC
export const authOptions: NextAuthOptions = {
  providers: [
    KeycloakProvider({
      clientId: process.env.KEYCLOAK_CLIENT_ID || "",
      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET || "",
      issuer: process.env.KEYCLOAK_ISSUER || "",
    }),
  ],
  session: {
    strategy: "jwt",
    maxAge: 8 * 60 * 60, // 8 hours only
  },
  callbacks: {
    // Simple JWT callback - no refresh logic
    async jwt({ token, account }) {
      if (account) {
        // Initial sign-in, store tokens
        token.accessToken = account.access_token;
        token.sub = account.providerAccountId;
      }
      return token;
    },
    // Simple session callback
    async session({ session, token }) {
      session.accessToken = token.accessToken;
      if (session.user) {
        session.user.id = token.sub || "";
      }
      return session;
    }
  },
  // Redirect to signin page for any errors
  pages: {
    signIn: '/signin',
    error: '/signin',
  },
  // Set reasonable cookie options
  cookies: {
    sessionToken: {
      name: 'next-auth.session-token',
      options: {
        httpOnly: true,
        sameSite: 'none',
        path: '/',
        secure: true,
      },
    },
  },
  debug: false,
};

const handler = NextAuth(authOptions);
export { handler as GET, handler as POST };