import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { genericOAuth } from "better-auth/plugins";
import { db } from "@/db/index";
import * as schema from "@/db/schema";

// Validate required environment variables
if (!process.env.BETTER_AUTH_SECRET) {
  throw new Error("BETTER_AUTH_SECRET is required");
}
if (!process.env.BETTER_AUTH_URL) {
  throw new Error("BETTER_AUTH_URL is required");
}
if (!process.env.AUTH_AUTHENTIK_CLIENT_ID) {
  throw new Error("AUTH_AUTHENTIK_CLIENT_ID is required");
}
if (!process.env.AUTH_AUTHENTIK_CLIENT_SECRET) {
  throw new Error("AUTH_AUTHENTIK_CLIENT_SECRET is required");
}
if (!process.env.AUTH_AUTHENTIK_ISSUER) {
  throw new Error("AUTH_AUTHENTIK_ISSUER is required");
}

export const auth = betterAuth({
  secret: process.env.BETTER_AUTH_SECRET,
	baseURL: process.env.BETTER_AUTH_URL,
	trustedOrigins: [process.env.BETTER_AUTH_URL],
	database: drizzleAdapter(db, {
		provider: "pg",
		schema,
	}),
	plugins: [
		genericOAuth({
			config: [
				{
					providerId: "authentik",
					clientId: process.env.AUTH_AUTHENTIK_CLIENT_ID,
					clientSecret: process.env.AUTH_AUTHENTIK_CLIENT_SECRET,
					discoveryUrl: `${process.env.AUTH_AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
					scopes: ["openid", "email", "profile"],
				},
			],
		}),
	],
});