import {
	OAuthClientListItemSchema,
	OAuthClientCreateRequestSchema,
	OAuthClientCreateDataSchema,
	OAuthClientUpdateRequestSchema,
	OAuthClientUpdateDataSchema,
	OAuthDeletedDataSchema,
	OAuthRotateSecretDataSchema,
	OAuthConsentGrantSchema,
	OAuthClientActivityItemSchema,
	OAuthBulkActivityItemSchema,
	OAuthUserConsentSchema,
	OAuthScopesDataSchema,
	OAuthOrgMemberSchema,
	OAuthKeyRotatedDataSchema,
} from '../api/oauth/types.ts';

const service = {
	name: 'OAuth Applications',
	slug: 'oauth',
	description:
		'Manage OAuth 2.0/OIDC applications, client credentials, user consent, and authorization scopes',
	endpoints: [
		{
			id: 'list-oauth-clients',
			title: 'List OAuth Clients',
			method: 'GET',
			path: '/oidc/clients',
			description:
				'List all OAuth clients for the current organization. Returns client metadata, user counts, and last activity timestamps.',
			pathParams: [],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON array of OAuth client objects with usage statistics.',
			responseFields: { schema: OAuthClientListItemSchema },
			statuses: [
				{ code: 200, description: 'Client list returned' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
			],
			examplePath: '/oidc/clients',
		},
		{
			id: 'create-oauth-client',
			title: 'Create OAuth Client',
			method: 'POST',
			path: '/oidc/clients',
			description:
				'Create a new OAuth client application. Returns the client details and a client secret that should be stored securely — it cannot be retrieved again.',
			pathParams: [],
			queryParams: [],
			requestBody: {
				description: 'JSON body with the OAuth client configuration.',
				fields: { schema: OAuthClientCreateRequestSchema },
			},
			responseDescription: 'JSON object containing the created client and its client secret.',
			responseFields: { schema: OAuthClientCreateDataSchema },
			statuses: [
				{ code: 200, description: 'Client created successfully' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
			],
			examplePath: '/oidc/clients',
			exampleBody: {
				name: 'My App',
				description: 'An example OAuth application',
				homepage_url: 'https://example.com',
				redirect_uris: ['https://example.com/callback'],
				scopes: ['openid', 'profile'],
			},
		},
		{
			id: 'get-oauth-client',
			title: 'Get OAuth Client',
			method: 'GET',
			path: '/oidc/clients/{id}',
			description:
				'Retrieve a specific OAuth client by ID, including its configuration, user count, and last activity.',
			pathParams: [{ name: 'id', type: 'string', description: 'The OAuth client ID' }],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON object with the OAuth client details.',
			responseFields: { schema: OAuthClientListItemSchema },
			statuses: [
				{ code: 200, description: 'Client found and returned' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
				{ code: 404, description: 'Client not found' },
			],
			examplePath: '/oidc/clients/cli_abc123',
		},
		{
			id: 'update-oauth-client',
			title: 'Update OAuth Client',
			method: 'PUT',
			path: '/oidc/clients/{id}',
			description:
				'Update an existing OAuth client. Only the provided fields are updated; omitted fields remain unchanged.',
			pathParams: [{ name: 'id', type: 'string', description: 'The OAuth client ID' }],
			queryParams: [],
			requestBody: {
				description: 'JSON body with the fields to update.',
				fields: { schema: OAuthClientUpdateRequestSchema, stripRequired: true },
			},
			responseDescription:
				'JSON object containing the updated client. May include a new client secret if the client type was changed.',
			responseFields: { schema: OAuthClientUpdateDataSchema },
			statuses: [
				{ code: 200, description: 'Client updated successfully' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
				{ code: 404, description: 'Client not found' },
			],
			examplePath: '/oidc/clients/cli_abc123',
			exampleBody: {
				name: 'Updated App Name',
				scopes: ['openid', 'profile', 'email'],
			},
		},
		{
			id: 'delete-oauth-client',
			title: 'Delete OAuth Client',
			method: 'DELETE',
			path: '/oidc/clients/{id}',
			description:
				'Delete an OAuth client and revoke all associated tokens and user consent grants.',
			pathParams: [{ name: 'id', type: 'string', description: 'The OAuth client ID' }],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON object confirming deletion.',
			responseFields: { schema: OAuthDeletedDataSchema },
			statuses: [
				{ code: 200, description: 'Client deleted successfully' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
				{ code: 404, description: 'Client not found' },
			],
			examplePath: '/oidc/clients/cli_abc123',
		},
		{
			id: 'rotate-client-secret',
			title: 'Rotate Client Secret',
			method: 'POST',
			path: '/oidc/clients/{id}/rotate-secret',
			description:
				'Generate a new client secret for a confidential OAuth client. The old secret is immediately invalidated. Store the new secret securely — it cannot be retrieved again.',
			pathParams: [{ name: 'id', type: 'string', description: 'The OAuth client ID' }],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON object containing the client ID and new client secret.',
			responseFields: { schema: OAuthRotateSecretDataSchema },
			statuses: [
				{ code: 200, description: 'Secret rotated successfully' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
				{ code: 404, description: 'Client not found' },
			],
			examplePath: '/oidc/clients/cli_abc123/rotate-secret',
		},
		{
			id: 'list-client-users',
			title: 'List Client Users',
			method: 'GET',
			path: '/oidc/clients/{id}/users',
			description:
				'List all users who have granted consent to an OAuth client, including their authorized scopes.',
			pathParams: [{ name: 'id', type: 'string', description: 'The OAuth client ID' }],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON array of consent grant objects for the client.',
			responseFields: { schema: OAuthConsentGrantSchema },
			statuses: [
				{ code: 200, description: 'User list returned' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
				{ code: 404, description: 'Client not found' },
			],
			examplePath: '/oidc/clients/cli_abc123/users',
		},
		{
			id: 'revoke-all-client-users',
			title: 'Revoke All Client Users',
			method: 'DELETE',
			path: '/oidc/clients/{id}/users',
			description:
				'Revoke consent for all users of an OAuth client. All active tokens for this client are invalidated.',
			pathParams: [{ name: 'id', type: 'string', description: 'The OAuth client ID' }],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON object confirming revocation.',
			responseFields: { schema: OAuthDeletedDataSchema },
			statuses: [
				{ code: 200, description: 'All user consent revoked' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
				{ code: 404, description: 'Client not found' },
			],
			examplePath: '/oidc/clients/cli_abc123/users',
		},
		{
			id: 'revoke-client-user',
			title: 'Revoke Client User',
			method: 'DELETE',
			path: '/oidc/clients/{id}/users/{user_id}',
			description:
				"Revoke a specific user's consent for an OAuth client. The user's active tokens for this client are invalidated.",
			pathParams: [
				{ name: 'id', type: 'string', description: 'The OAuth client ID' },
				{ name: 'user_id', type: 'string', description: 'The user ID to revoke' },
			],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON object confirming revocation.',
			responseFields: { schema: OAuthDeletedDataSchema },
			statuses: [
				{ code: 200, description: 'User consent revoked' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
				{ code: 404, description: 'Client or user not found' },
			],
			examplePath: '/oidc/clients/cli_abc123/users/usr_xyz789',
		},
		{
			id: 'get-client-activity',
			title: 'Get Client Activity',
			method: 'GET',
			path: '/oidc/clients/{id}/activity',
			description:
				'Get daily activity statistics for an OAuth client, including total access counts and unique user counts.',
			pathParams: [{ name: 'id', type: 'string', description: 'The OAuth client ID' }],
			queryParams: [
				{
					name: 'days',
					type: 'number',
					description: 'Number of days of activity to return (default: 30)',
					required: false,
				},
			],
			requestBody: null,
			responseDescription: 'JSON array of daily activity records.',
			responseFields: { schema: OAuthClientActivityItemSchema },
			statuses: [
				{ code: 200, description: 'Activity data returned' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
				{ code: 404, description: 'Client not found' },
			],
			examplePath: '/oidc/clients/cli_abc123/activity?days=7',
		},
		{
			id: 'get-bulk-activity',
			title: 'Get Bulk Activity',
			method: 'GET',
			path: '/oidc/clients/activity',
			description:
				'Get aggregated activity statistics across all OAuth clients for the organization.',
			pathParams: [],
			queryParams: [
				{
					name: 'days',
					type: 'number',
					description: 'Number of days of activity to return (default: 30)',
					required: false,
				},
			],
			requestBody: null,
			responseDescription: 'JSON array of daily activity records per client.',
			responseFields: { schema: OAuthBulkActivityItemSchema },
			statuses: [
				{ code: 200, description: 'Bulk activity data returned' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
			],
			examplePath: '/oidc/clients/activity?days=7',
		},
		{
			id: 'list-user-consent',
			title: 'List User Consent',
			method: 'GET',
			path: '/oidc/user/consent',
			description:
				'List all OAuth applications the current user has authorized, including granted scopes and client details.',
			pathParams: [],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON array of user consent objects with client metadata.',
			responseFields: { schema: OAuthUserConsentSchema },
			statuses: [
				{ code: 200, description: 'Consent list returned' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
			],
			examplePath: '/oidc/user/consent',
		},
		{
			id: 'revoke-user-consent',
			title: 'Revoke User Consent',
			method: 'DELETE',
			path: '/oidc/user/consent/{client_id}',
			description:
				"Revoke the current user's consent for a specific OAuth client. Active tokens for this client are invalidated.",
			pathParams: [
				{
					name: 'client_id',
					type: 'string',
					description: 'The OAuth client ID to revoke consent for',
				},
			],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON object confirming revocation.',
			responseFields: { schema: OAuthDeletedDataSchema },
			statuses: [
				{ code: 200, description: 'Consent revoked successfully' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 404, description: 'Consent not found for this client' },
			],
			examplePath: '/oidc/user/consent/cli_abc123',
		},
		{
			id: 'list-scopes',
			title: 'List Scopes',
			method: 'GET',
			path: '/oidc/scopes',
			description:
				'List all available OAuth scopes and permission categories. Includes scope metadata, consent descriptions, and permission groupings.',
			pathParams: [],
			queryParams: [],
			requestBody: null,
			responseDescription:
				'JSON object containing available scopes and structured permission categories.',
			responseFields: { schema: OAuthScopesDataSchema },
			statuses: [
				{ code: 200, description: 'Scope list returned' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
			],
			examplePath: '/oidc/scopes',
		},
		{
			id: 'list-org-members',
			title: 'List Org Members',
			method: 'GET',
			path: '/oidc/org/members',
			description:
				'List all members of the current organization. Used for configuring allowed user restrictions on OAuth clients.',
			pathParams: [],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON array of organization member objects.',
			responseFields: { schema: OAuthOrgMemberSchema },
			statuses: [
				{ code: 200, description: 'Member list returned' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
			],
			examplePath: '/oidc/org/members',
		},
		{
			id: 'rotate-signing-keys',
			title: 'Rotate Signing Keys',
			method: 'POST',
			path: '/oidc/keys/rotate',
			description:
				'Rotate the OIDC signing keys for the organization. New tokens will be signed with the new key. Existing tokens remain valid until they expire.',
			pathParams: [],
			queryParams: [],
			requestBody: null,
			responseDescription: 'JSON object confirming key rotation.',
			responseFields: { schema: OAuthKeyRotatedDataSchema },
			statuses: [
				{ code: 200, description: 'Keys rotated successfully' },
				{ code: 401, description: 'Unauthorized — invalid or missing API key' },
				{ code: 403, description: 'Forbidden — insufficient permissions' },
			],
			examplePath: '/oidc/keys/rotate',
		},
	],
};

export default service;