import type { SerializeOptions } from "cookie";

export type CookieOptions = Partial<SerializeOptions>;
export type CookieOptionsWithName = { name?: string } & CookieOptions;

export type GetCookie = (
  name: string,
) => Promise<string | null | undefined> | string | null | undefined;

export type SetCookie = (
  name: string,
  value: string,
  options: CookieOptions,
) => Promise<void> | void;
export type RemoveCookie = (
  name: string,
  options: CookieOptions,
) => Promise<void> | void;

export type GetAllCookies = () =>
  | Promise<{ name: string; value: string }[] | null>
  | { name: string; value: string }[]
  | null;

export type SetAllCookies = (
  cookies: { name: string; value: string; options: CookieOptions }[],
  /**
   * Headers that must be set on the HTTP response alongside the cookies.
   * Responses that set auth cookies must not be cached by CDNs or
   * reverse proxies, otherwise one user's session token can be served
   * to a different user.
   *
   * The library passes the following headers when auth cookies are set:
   * - `Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0`
   * - `Expires: 0`
   * - `Pragma: no-cache`
   *
   * @example
   * ```ts
   * // Next.js middleware
   * setAll(cookiesToSet, headers) {
   *   cookiesToSet.forEach(({ name, value, options }) =>
   *     response.cookies.set(name, value, options)
   *   )
   *   Object.entries(headers).forEach(([key, value]) =>
   *     response.headers.set(key, value)
   *   )
   * }
   * ```
   */
  headers: Record<string, string>,
) => Promise<void> | void;

export type CookieMethodsBrowserDeprecated = {
  get: GetCookie;
  set: SetCookie;
  remove: RemoveCookie;
};

export type CookieMethodsBrowser = {
  /**
   * If set to true, only the user's session (access and refresh tokens) will be encoded in cookies. The user object will be encoded in local storage if the `userStorage` option is not provided when creating the client.
   *
   * You should keep this option the same between `createBrowserClient()` and `createServerClient()`. When set to `tokens-only` accessing the `user` property on the data returned from `getSession()` will only be possible if the user has already been stored in the separate storage. It's best to use `getClaims()` instead to avoid surprizes.
   *
   * @experimental
   */
  encode?: "user-and-tokens" | "tokens-only";

  /**
   * Required when reading cookies from a custom store. If both `getAll` and
   * `setAll` are omitted in a browser runtime, the client falls back to
   * reading via `document.cookie`. Tokens and PKCE code verifiers are still
   * persisted in cookies regardless of the `encode` option, so cookie access
   * (custom or fallback) is required for auth to work.
   */
  getAll?: GetAllCookies;
  /**
   * Required alongside `getAll` when using a custom cookie store. If both
   * `getAll` and `setAll` are omitted in a browser runtime, the client falls
   * back to writing via `document.cookie`.
   */
  setAll?: SetAllCookies;
};

export type CookieMethodsServerDeprecated = {
  get: GetCookie;
  set?: SetCookie;
  remove?: RemoveCookie;
};

export type CookieMethodsServer = {
  /**
   * If set to `tokens-only`, only the user's access and refresh tokens will be encoded in cookies. The user object will be encoded in memory if the `userStorage` option is not provided when creating the client. Unset value defaults to `user-and-tokens`.
   *
   * You should keep this option the same between `createBrowserClient()` and `createServerClient()`. When set to `tokens-only` accessing the `user` property on the data returned from `getSession()` will not be possible. Use `getUser()` or preferably `getClaims()` instead.
   *
   * @experimental
   */
  encode?: "user-and-tokens" | "tokens-only";

  getAll: GetAllCookies;

  /**
   * Called by the Supabase Client to write cookies to the response after a
   * token refresh or auth state change.
   *
   * **IMPORTANT:** Call `await supabase.auth.getSession()` (or `getUser()`)
   * early in your request handler — before any response is generated. If a
   * token refresh completes after the HTTP response has already been committed,
   * the updated session cannot be written here and will be lost, causing the
   * next request to refresh again.
   *
   * **CDN and reverse proxy caching.**
   *
   * Token refreshes write `Set-Cookie` headers to the response. If your app is
   * behind a CDN or reverse proxy (e.g. CloudFront, Vercel Edge, Cloudflare),
   * set `Cache-Control: private, no-store` on routes that handle authentication
   * (typically your middleware) to prevent these responses from being cached.
   *
   * **`getSession()` vs `getUser()`.**
   *
   * `getSession()` returns the session directly from cookies without contacting
   * the Supabase Auth server. The user object it contains is therefore
   * **not verified** and should not be used for authorization decisions.
   * Use `getUser()` when you need a verified user identity — it contacts the
   * Auth server on every call to validate the token.
   */
  setAll?: SetAllCookies;
};