// SPDX-License-Identifier: MIT

import { DefaultAzureCredential, ClientSecretCredential, DeviceCodeCredential } from "@azure/identity";
import type { AuthenticationResult } from "@azure/msal-node";
import { acquireResourceToken as acquireResourceTokenPca } from "./pca-auth.ts";

type CredentialType = "d" | "default" | "cs" | "clientSecret" | "dc" | "deviceCode";

export async function getCredential(
  credentialType: CredentialType,
  tenantId?: string,
  clientId?: string,
  clientSecret?: string,
): Promise<DefaultAzureCredential | ClientSecretCredential | DeviceCodeCredential> {
  switch (credentialType) {
    case "d":
    case "default":
      return new DefaultAzureCredential();
    case "cs":
    case "clientSecret":
      if (!tenantId || !clientId || !clientSecret) {
        throw new Error(
          "tenantId, clientId, and clientSecret are required for ClientSecretCredential",
        );
      }
      return new ClientSecretCredential(
        tenantId,
        clientId,
        clientSecret,
      );
    case "dc":
    case "deviceCode":
      if (!tenantId || !clientId) {
        throw new Error(
          "tenantId and clientId are required for DeviceCodeCredential",
        );
      }
      return new DeviceCodeCredential({
        tenantId,
        clientId,
        userPromptCallback: (info) => {
          console.log(info.message);
        },
      });
    default:
      throw new Error(`Unsupported credential type: ${credentialType}`);
  }
}

export async function acquireResourceToken(
  tenantId: string,
  clientId: string,
  resource: string,
): Promise<AuthenticationResult | null> {
  return acquireResourceTokenPca(tenantId, clientId, resource);
}