class Users::OmniauthCallbacksController

# File app/controllers/users/omniauth_callbacks_controller.rb, line 16
def cis2
  set_cis2_session_info

  if !selected_cis2_role_is_valid?
    redirect_to users_role_not_found_path
  elsif !selected_cis2_org_is_registered?
    redirect_to users_organisation_not_found_path
  elsif !selected_cis2_workgroup_is_valid?
    redirect_to users_workgroup_not_found_path
  else
    @user = User.find_or_create_from_cis2_oidc(user_cis2_info, valid_teams)

    # Track which users have authorisation to supply using the PGD protocol.
    @user.update!(show_in_suppliers: cis2_info.is_nurse?)

    # give them a session token for the reporting app also
    @user.update!(reporting_api_session_token: SecureRandom.hex(32))

    # Force is set to true because the `session_token` might have changed
    # even if the same user is logging in.
    sign_in @user, event: :authentication, force: true
    # We have to split sign_in and redirect methods up, so we can supply the
    # allow_other_host param to the redirect. This is so that we can
    # redirect to the reporting app which will be running on another host/port
    # Note that safety checks on the host are now done in the
    # after_sign_in_path_for method, so this doesn't allow arbitrary URLs
    redirect_after_choosing_org
  end
rescue StandardError => e
  unless Rails.env.production?
    user_info = request.env["omniauth.auth"].to_h
    Rails.logger.error(
      "ID token: #{user_info.dig("credentials", "id_token")}"
    )
    Rails.logger.error(
      user_info.dig("extra", "raw_info").slice("nhsid_nrbac_roles").to_h
    )
    Rails.logger.error(
      user_info.dig("extra", "raw_info").slice("nhsid_user_orgs").to_h
    )
    Rails.logger.error(
      user_info.dig("extra", "raw_info").slice("selected_roleid").to_h
    )
  end
  raise e
end

# File app/controllers/users/omniauth_callbacks_controller.rb, line 63
def cis2_logout
  logout_token = params[:logout_token]

  if validate_logout_token(logout_token)
    if @sid.blank? || @user.session_token == @sid
      @user.update!(session_token: nil, reporting_api_session_token: nil)
    end

    render json: {}, status: :ok
  else
    render json: { error: "Invalid logout token" }, status: :bad_request
  end
end

# File app/controllers/users/omniauth_callbacks_controller.rb, line 77
def logout
  signed_out =
    (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
  flash[:notice] = "You have been logged out" if signed_out
  redirect_to after_sign_out_path_for(resource_name)
end