using Azure.Core; using Microsoft.Graph; using Microsoft.SharePoint.Client; using SharepointToolbox.Web.Core.Models; namespace SharepointToolbox.Web.Infrastructure.Auth; ///

/// Builds app-only (certificate-based) clients for a client profile. Drives BOTH the /// background report scheduler AND the interactive session: when a profile is configured /// for certificate auth (see ), technicians operate through the /// app identity and never sign in to SharePoint per profile. Requires /// , an app-only client id, and a stored certificate. ///

public interface IAppOnlyContextFactory { ///

/// True when this profile can authenticate app-only without an interactive sign-in: /// is set, an app-only client id is present, /// and a certificate is stored for the profile. When false, callers fall back to the /// delegated refresh-token flow. ///

bool IsConfigured(TenantProfile profile); ///

CSOM context for a specific site, authenticated app-only.

Task CreateContextAsync(TenantProfile profile, string siteUrl, CancellationToken ct = default); ///

Microsoft Graph client, authenticated app-only.

Task CreateGraphClientAsync(TenantProfile profile, CancellationToken ct = default); ///

Acquires an app-only access token for an arbitrary scope (e.g. a SharePoint host or Graph).

Task GetTokenAsync(TenantProfile profile, string scope, CancellationToken ct = default); ///

/// Verifies the stored credentials can authenticate against the tenant root web. /// Returns null on success, or an error message describing the failure. ///

Task TestConnectionAsync(TenantProfile profile, CancellationToken ct = default); ///

/// Polls until it succeeds or /// elapses. After a fresh app registration, the certificate key credential and app-role /// admin consent take time to propagate through Entra (token requests 401 until then); /// this waits that window out. Returns null once ready, or the last error on timeout. ///

Task WaitUntilReadyAsync(TenantProfile profile, TimeSpan timeout, CancellationToken ct = default); }