// ref: https://github.com/takenet/lime-csharp/tree/master/src/Lime.Protocol/Security
export interface GuestAuthentication {
    scheme: 'guest'
}

export interface KeyAuthentication {
    scheme: 'key'
    key: string
}

// This auth method doesn't exist in reality, it is only used to facilitate usage
export interface TokenAuthentication {
    scheme: 'token'
    token: string
}

export interface ExternalAuthentication {
    scheme: 'external'
    issuer: string
    token: string
}

export interface PlainAuthentication {
    scheme: 'plain'
    password: string
}

export interface TransportAuthentication {
    scheme: 'transport'
    pfx?: Uint8Array
    cert?: Uint8Array | string
    key?: Uint8Array | string
    ca?: Uint8Array | string | Array<Uint8Array | string>
    passphrase?: string
    rejectUnauthorized?: boolean
}

export type Authentication =
    | GuestAuthentication
    | KeyAuthentication
    | ExternalAuthentication
    | PlainAuthentication
    | TokenAuthentication
    | TransportAuthentication

export type NonTransportAuthentication = Exclude<Authentication, TransportAuthentication>

export function assertNonTransportAuth(auth: unknown, senderName: string): void {
    if ((auth as { scheme?: string } | null | undefined)?.scheme === 'transport') {
        throw new Error(
            `${senderName} does not support the 'transport' scheme: TLS terminates before any application-layer negotiation, so a client certificate cannot be reliably delivered upstream. Use TCPSender.`,
        )
    }
}