# ===============================================
# AUTHENTICATION
# ===============================================

extend type Query {
  apiKeys: [AuthenticationApiKey]

  apiState: Boolean

  authStrategies(
    enabledOnly: Boolean
  ): [AuthenticationStrategy]
}

extend type Mutation {
  createApiKey(
    name: String!
    expiration: String!
    fullAccess: Boolean!
    group: Int
  ): AuthenticationCreateApiKeyResponse

  login(
    username: String!
    password: String!
    strategy: String!
  ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60)

  loginTFA(
    continuationToken: String!
    securityCode: String!
    setup: Boolean
  ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60)

  loginChangePassword(
    continuationToken: String!
    newPassword: String!
  ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60)

  forgotPassword(
    email: String!
  ): DefaultResponse @rateLimit(limit: 3, duration: 60)

  register(
    email: String!
    password: String!
    name: String!
  ): AuthenticationRegisterResponse

  revokeApiKey(
    id: Int!
  ): DefaultResponse

  setApiState(
    enabled: Boolean!
  ): DefaultResponse

  updateAuthStrategies(
    strategies: [AuthenticationStrategyInput]!
  ): DefaultResponse

  regenerateCertificates: DefaultResponse

  resetGuestUser: DefaultResponse
}

# -----------------------------------------------
# TYPES
# -----------------------------------------------

type AuthenticationStrategy {
  key: String!
  props: [KeyValuePair] @auth(requires: ["manage:system"])
  title: String!
  description: String
  isAvailable: Boolean
  useForm: Boolean!
  usernameType: String
  logo: String
  color: String
  website: String
  icon: String
}

type AuthenticationActiveStrategy {
  key: String!
  strategy: AuthenticationStrategy!
  displayName: String!
  order: Int!
  isEnabled: Boolean!
  config: [KeyValuePair] @auth(requires: ["manage:system"])
  selfRegistration: Boolean!
  domainWhitelist: [String]! @auth(requires: ["manage:system"])
  autoEnrollGroups: [Int]! @auth(requires: ["manage:system"])
}

type AuthenticationLoginResponse {
  operation: Operation
  jwt: String
  mustChangePwd: Boolean
  mustProvideTFA: Boolean
  mustSetupTFA: Boolean
  continuationToken: String
  redirect: String
  tfaQRImage: String
}

type AuthenticationRegisterResponse {
  operation: Operation
  jwt: String
}

input AuthenticationStrategyInput {
  key: String!
  strategyKey: String!
  config: [KeyValuePairInput]
  displayName: String!
  order: Int!
  isEnabled: Boolean!
  selfRegistration: Boolean!
  domainWhitelist: [String]!
  autoEnrollGroups: [Int]!
}

type AuthenticationApiKey {
  id: Int!
  name: String!
  keyShort: String!
  expiration: Date!
  createdAt: Date!
  updatedAt: Date!
  isRevoked: Boolean!
}

type AuthenticationCreateApiKeyResponse {
  operation: Operation
  key: String
}