using System.Security.Cryptography.X509Certificates;

namespace SharepointToolbox.Web.Infrastructure.Auth;

/// <summary>
/// Stores the per-client app-only certificate (private key included) encrypted at
/// rest, keyed by profile id. Used only by the background scheduler — never exposed
/// to the browser.
/// </summary>
public interface IAppOnlyCertStore
{
    /// <summary>
    /// Persists an uploaded PFX for a profile. Returns the certificate thumbprint.
    /// The uploaded password is used only to open the PFX; it is not retained.
    /// </summary>
    Task<string> SaveAsync(string profileId, byte[] pfxBytes, string? password, CancellationToken ct = default);

    /// <summary>Loads the stored certificate (with private key) for app-only auth, or null if none.</summary>
    Task<X509Certificate2?> LoadAsync(string profileId, CancellationToken ct = default);

    bool Exists(string profileId);

    void Delete(string profileId);
}