//! tower-sessions layer that loco-oauth2 uses to hold the short-lived CSRF /
//! PKCE state between the authorize redirect and the provider callback. An
//! in-memory store is sufficient since the state only needs to survive the
//! round-trip to the provider.

use axum::Router as AxumRouter;
use loco_rs::prelude::*;
use tower_sessions::{cookie::time::Duration, Expiry, MemoryStore, SessionManagerLayer};

pub struct OAuth2SessionInitializer;

#[async_trait]
impl Initializer for OAuth2SessionInitializer {
    fn name(&self) -> String {
        "oauth2-session".to_string()
    }

    async fn after_routes(&self, router: AxumRouter, _ctx: &AppContext) -> Result<AxumRouter> {
        let session_store = MemoryStore::default();
        let session_layer = SessionManagerLayer::new(session_store)
            .with_secure(false)
            .with_expiry(Expiry::OnInactivity(Duration::minutes(10)));
        Ok(router.layer(session_layer))
    }
}