syntax = "proto3";

package dyson_network.sphere.auth;

import "google/protobuf/empty.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "DysonNetwork.Sphere.Auth.Proto";

service AuthService {
  // Standard username/password login
  rpc Login(LoginRequest) returns (LoginResponse);

  // Introspects an OAuth 2.0 access token.
  rpc IntrospectToken(IntrospectTokenRequest) returns (IntrospectionResponse);

  // Logs out the current session
  rpc Logout(google.protobuf.Empty) returns (google.protobuf.Empty);
}

message LoginRequest {
  string username = 1;
  string password = 2;
  // Optional: for 2FA
  string two_factor_code = 3;
}

message LoginResponse {
  string access_token = 1;
  string refresh_token = 2;
  int64 expires_in = 3;
}

message IntrospectTokenRequest {
  string token = 1;
  // Optional: token_type_hint can be "access_token" or "refresh_token"
  string token_type_hint = 2;
}

message IntrospectionResponse {
  // Indicates whether or not the token is currently active.
  bool active = 1;
  // A JSON string containing the claims of the token.
  string claims = 2;
  // The client identifier for the OAuth 2.0 client that requested the token.
  string client_id = 3;
  // The username of the resource owner who authorized the token.
  string username = 4;
  // The scope of the access token.
  string scope = 5;
  // The time at which the token was issued.
  google.protobuf.Timestamp iat = 6;
  // The time at which the token expires.
  google.protobuf.Timestamp exp = 7;
}