#ifndef OATPP_AUTHKIT_AUTH_IAUTH_BACKEND_HPP
#define OATPP_AUTHKIT_AUTH_IAUTH_BACKEND_HPP

#include <optional>
#include <string>

#include "AuthPrincipal.hpp"

namespace oatpp_authkit {

/**
 * @brief Consumer-supplied adapter from library primitives → user store.
 *
 * The library never reads the database directly. The interceptor calls
 * these methods, the concrete implementation (owned by the consumer app)
 * wraps `UserDb` / `CertificateDb` / whatever and returns library-owned
 * `AuthPrincipal` structs.
 *
 * All methods must be thread-safe (the interceptor is invoked from oatpp
 * worker threads).
 */
class IAuthBackend {
public:
    virtual ~IAuthBackend() = default;

    /** @brief Look up an active session by its hashed token. */
    virtual std::optional<AuthPrincipal> resolveBySessionHash(const std::string& hash) = 0;

    /** @brief Look up an API key by its hashed token; also touch `last_used_at`. */
    virtual std::optional<AuthPrincipal> resolveByApiKeyHash(const std::string& hash) = 0;

    /**
     * @brief Look up a user by TLS client cert DN. Return nullopt if your
     *        app doesn't support cert auth — the interceptor silently skips
     *        this step.
     */
    virtual std::optional<AuthPrincipal> resolveByCertDn(const std::string& /*dn*/) {
        return std::nullopt;
    }

    /** @brief True iff at least one active user exists. Used for setup-mode gate. */
    virtual bool hasActiveUsers() = 0;

    /** @brief Delete expired session rows. Called periodically by the interceptor. */
    virtual void deleteExpiredSessions() = 0;
};

} // namespace oatpp_authkit

#endif