#ifndef AUTH_API_CLIENT_H
#define AUTH_API_CLIENT_H

#include <Arduino.h>
#include <WiFiClientSecure.h>
#include <HTTPClient.h>
#include <time.h>

class AuthApiClient {
public:
  AuthApiClient(const String& apiBase, int requestId = 12345);
  void setInsecure(bool enable = true);
  void setRootCA(const char* pemRootCA);
  void useCertBundle(bool enable = true);
  bool login(const String& userName, const String& password);
  bool loadDisk(const String& unitId, const String& diskId);
  bool loadDiskSector(const String& unitId, const String& diskId, uint32_t lba, uint32_t offset, void* buffer, size_t bufsize); 
  bool refresh();
  bool ensureTokenFresh(long refreshEarlySeconds = 60);
  bool postJson(const String& path, const String& jsonBody, String& respBody, bool autoRefresh = true);
  bool get(const String& path, String& respBody, bool autoRefresh = true);
  bool authed() const { return _authed; }
  const String& accessToken() const { return _accessToken; }
  void setAccessToken(const String& token);
  const String& refreshToken() const { return _refreshToken; }
  time_t tokenExp() const { return _tokenExpEpoch; }

private:
  bool httpsPostJsonFullUrl(const String& fullUrl, const String& jsonBody, String& respBody);
  bool httpsPostJsonReturnBytesFullUrl(const String& fullUrl, const String& jsonBody, uint8_t*& outBufPS, size_t& outLen);
  bool httpsGetFullUrl(const String& fullUrl, String& respBody);
  bool beginHttp(HTTPClient& http, WiFiClientSecure& client, const String& fullUrl);
  static bool base64UrlDecode(const String& in, String& out);
  static time_t jwtExp(const String& jwt);

  String _apiBase;
  int _requestId;
  String _accessToken;
  String _refreshToken;
  time_t _tokenExpEpoch = 0;
  bool _authed = false;
  bool _useInsecure = true;
  const char* _rootCA = nullptr;
  bool _useBundle = false;
};

#endif // AUTH_API_CLIENT_H