namespace Azaion.Common.Requests;

/// <summary>AZ-534 — body for <c>POST /users/me/mfa/enroll</c>.</summary>
public class MfaEnrollRequest
{
    public string Password { get; set; } = null!;
}

/// <summary>AZ-534 — response of /enroll (also surfaces recovery codes ONCE; they are
/// hashed at rest and unrecoverable after this response).</summary>
public class MfaEnrollResponse
{
    public string   Secret         { get; set; } = null!;
    public string   OtpAuthUrl     { get; set; } = null!;
    public string   QrPngBase64    { get; set; } = null!;
    public string[] RecoveryCodes  { get; set; } = [];
}

public class MfaConfirmRequest
{
    public string Code { get; set; } = null!;
}

public class MfaDisableRequest
{
    public string Password { get; set; } = null!;
    public string Code     { get; set; } = null!;
}

/// <summary>AZ-534 AC-3 — response of step-1 /login when the user has MFA enabled.
/// The mfa_token is a short-lived JWT carried into <c>POST /login/mfa</c>.</summary>
public class MfaRequiredResponse
{
    public bool   MfaRequired { get; set; } = true;
    public string MfaToken    { get; set; } = null!;
    public int    ExpiresIn   { get; set; }
}

public class MfaLoginRequest
{
    public string MfaToken { get; set; } = null!;
    public string Code     { get; set; } = null!;
}