using System.Security.Claims;
using SharepointToolbox.Web.Core.Models;

namespace SharepointToolbox.Web.Services.Auth;

public interface IUserService
{
    /// <summary>Auto-provision on first OIDC login; update LastLogin on subsequent logins.
    /// First user ever becomes Admin automatically. Tags the user as <see cref="AuthProvider.Entra"/>.</summary>
    Task<AppUser> ProvisionAsync(ClaimsPrincipal principal);

    Task<AppUser?> GetByEmailAsync(string email);
    Task<IReadOnlyList<AppUser>> GetAllAsync();
    /// <summary>Persist a new role for the user. Returns the previous role (read from the store).</summary>
    /// <exception cref="KeyNotFoundException">No user matches <paramref name="userId"/>.</exception>
    Task<UserRole> UpdateRoleAsync(string userId, UserRole role);
    Task DeleteAsync(string userId);

    /// <summary>Create a local password-based account. First user ever becomes Admin.</summary>
    /// <exception cref="InvalidOperationException">Email already in use.</exception>
    Task<AppUser> CreateLocalUserAsync(string email, string displayName, UserRole role, string password);

    /// <summary>Validate local credentials. Returns the user and updates LastLogin on success; null otherwise.
    /// Only matches <see cref="AuthProvider.Local"/> accounts.</summary>
    Task<AppUser?> ValidateLocalCredentialsAsync(string email, string password);

    /// <summary>Admin reset — set a local user's password without knowing the current one.</summary>
    Task SetPasswordAsync(string userId, string newPassword);

    /// <summary>Self-service — change own password after verifying the current one.</summary>
    /// <returns>true if the current password matched and the change was saved.</returns>
    Task<bool> ChangePasswordAsync(string userId, string currentPassword, string newPassword);
}