namespace Azaion.Common.Configs;

public class JwtConfig
{
    public string Issuer   { get; set; } = null!;
    public string Audience { get; set; } = null!;

    /// <summary>
    /// AZ-532 — directory containing ES256 private keys (PEM, *.pem). The kid is
    /// the filename without extension. Production: <c>secrets/jwt-keys</c>.
    /// </summary>
    public string KeysFolder { get; set; } = "secrets/jwt-keys";

    /// <summary>
    /// AZ-532 — kid of the key currently used to SIGN new tokens. Other keys in
    /// <see cref="KeysFolder"/> remain in JWKS for the rotation overlap window so
    /// in-flight tokens still verify.
    /// </summary>
    public string? ActiveKid { get; set; }

    /// <summary>
    /// AZ-531 — access-token TTL in minutes (default 15). Refresh-token TTLs live
    /// on <see cref="SessionConfig"/>.
    /// </summary>
    public int AccessTokenLifetimeMinutes { get; set; } = 15;
}

public class SessionConfig
{
    /// <summary>
    /// AZ-531 — sliding window. Each refresh extends expires_at by this many
    /// hours from "now"; family-level absolute cap below.
    /// </summary>
    public int RefreshSlidingHours { get; set; } = 8;

    /// <summary>
    /// AZ-531 — absolute cap. A session family older than this many hours since
    /// the family's first issue is rejected even if every individual rotation
    /// stayed within the sliding window.
    /// </summary>
    public int RefreshAbsoluteHours { get; set; } = 12;
}