use crate::domain::models::*;
use anyhow::Result;

/// Domain service for OAuth2 authorization flow
pub trait AuthorizationService: Send + Sync {
    fn authorize(
        &self,
        request: &AuthorizationRequest,
        user: &User,
    ) -> Result<AuthorizationResult, OAuthError>;
    fn validate_client(&self, client_id: &str) -> Result<OAuthClient, OAuthError>;
    fn validate_redirect_uri(
        &self,
        client: &OAuthClient,
        redirect_uri: &str,
    ) -> Result<(), OAuthError>;
    fn validate_scopes(
        &self,
        client: &OAuthClient,
        requested_scopes: &[String],
    ) -> Result<Vec<String>, OAuthError>;
}

/// Domain service for OAuth2 token operations
pub trait TokenService: Send + Sync {
    fn exchange_code_for_tokens(&self, request: &TokenRequest) -> Result<TokenResult, OAuthError>;
    fn refresh_tokens(&self, request: &TokenRequest) -> Result<TokenResult, OAuthError>;
    fn introspect_token(&self, token: &str, client_id: &str) -> Result<TokenClaims, OAuthError>;
    fn revoke_token(&self, token: &str, client_id: &str) -> Result<(), OAuthError>;
}

/// Domain service for client management
pub trait ClientService: Send + Sync {
    fn create_client(&self, client: &OAuthClient, client_secret: &str) -> Result<()>;
    fn get_client(&self, client_id: &str) -> Result<Option<OAuthClient>>;
    fn update_client(&self, client: &OAuthClient) -> Result<()>;
    fn delete_client(&self, client_id: &str) -> Result<()>;
    fn authenticate_client(
        &self,
        client_id: &str,
        client_secret: &str,
    ) -> Result<OAuthClient, OAuthError>;
}

/// Domain service for user management
pub trait UserService: Send + Sync {
    fn get_user(&self, user_id: &str) -> Result<Option<User>>;
    fn authenticate_user(&self, username: &str, password: &str) -> Result<User, OAuthError>;
    fn is_user_authorized(
        &self,
        user: &User,
        client: &OAuthClient,
        scopes: &[String],
    ) -> Result<bool>;
}

/// Domain service for audit logging
pub trait AuditService: Send + Sync {
    fn log_authorization_attempt(
        &self,
        request: &AuthorizationRequest,
        user: Option<&User>,
        success: bool,
        ip_address: Option<&str>,
    ) -> Result<()>;
    fn log_token_request(
        &self,
        request: &TokenRequest,
        success: bool,
        ip_address: Option<&str>,
    ) -> Result<()>;
    fn log_token_introspection(
        &self,
        token_hash: &str,
        client_id: &str,
        success: bool,
    ) -> Result<()>;
    fn log_token_revocation(&self, token_hash: &str, client_id: &str, success: bool) -> Result<()>;
}

/// Domain service for rate limiting
pub trait RateLimitService: Send + Sync {
    fn check_rate_limit(&self, identifier: &str, endpoint: &str) -> Result<(), OAuthError>;
    fn is_rate_limited(
        &self,
        identifier: &str,
        endpoint: &str,
        max_requests: u32,
        window_minutes: u32,
    ) -> Result<bool>;
}

/// Domain service for PKCE operations
pub trait PkceService: Send + Sync {
    fn generate_code_verifier(&self) -> String;
    fn generate_code_challenge(&self, verifier: &str, method: &str) -> Result<String>;
    fn verify_code_challenge(&self, verifier: &str, challenge: &str, method: &str) -> Result<bool>;
}

/// Domain service for JWT operations
pub trait JwtService: Send + Sync {
    fn generate_access_token(&self, claims: &TokenClaims) -> Result<String>;
    fn generate_refresh_token(
        &self,
        client_id: &str,
        user_id: &str,
        scopes: &[String],
    ) -> Result<String>;
    fn validate_token(&self, token: &str) -> Result<TokenClaims>;
    fn get_jwks(&self) -> Result<String>; // JSON Web Key Set
}