/**
 * Shared auth types between the web client and our Next.js API route
 * proxies. Mirrors the backend AuthResponseDto shape so the wire format
 * is the single source of truth.
 */

export type UserRole = 'super_admin' | 'admin' | 'doctor' | 'patient' | 'support';

export type UserStatus = 'pending_verification' | 'active' | 'suspended' | 'deactivated';

export interface AuthUser {
  id: string;
  email: string;
  firstName: string;
  lastName: string;
  role: UserRole;
  roles: UserRole[];
  status: UserStatus;
  emailVerified: boolean;
  mfaEnabled: boolean;
  locale: string;
  onboardingCompletedAt?: string | null;
}

export interface AuthTokens {
  accessToken: string;
  refreshToken: string;
  expiresIn: number;
}

export interface AuthResponse extends AuthTokens {
  user: AuthUser;
}

export interface ApiError {
  statusCode: number;
  message: string | string[];
  error?: string;
  /** Optional structured discriminator — e.g. 'mfa_required' or 'device_limit_exceeded'. */
  kind?: 'mfa_required' | 'device_limit_exceeded';
  /** When kind=device_limit_exceeded, the active sessions the user can revoke. */
  maxDevices?: number;
  activeSessions?: Array<{
    id: string;
    deviceName: string | null;
    userAgent: string | null;
    ipAddress: string | null;
    createdAt: string;
    lastUsedAt: string | null;
  }>;
}