#!/usr/bin/env bash

set -euo pipefail

# Constants
CREDENTIALS_FILE="/etc/config/oauth2/client/client-credentials.json"

# Create the credentials file if it doesn't exist
if [ ! -f "$CREDENTIALS_FILE" ]; then
  echo "ERROR: credentials file $CREDENTIALS_FILE not found"
  exit 1
fi

# Wait for Hydra to be ready
sleep 3

# Function to create client
create_client() {
  local client_id=$1
  local client_secret=$2
  local scope=$3
  local exists_in_hydra=false

  # Check if client exists in Hydra
  if hydra get oauth2-client $client_id --endpoint $HYDRA_ADMIN_URL >/dev/null 2>&1; then
    exists_in_hydra=true
  fi

  # Upsert behavior: remove stale client definition so scope/secret updates are applied.
  if [ "$exists_in_hydra" = true ]; then
    echo "INFO: client $client_id exists in Hydra, replacing to refresh scope/secret"
    hydra delete oauth2-client "$client_id" --endpoint "$HYDRA_ADMIN_URL" >/dev/null
  fi

  hydra create oauth2-client --endpoint "$HYDRA_ADMIN_URL" \
    --id "$client_id" \
    --secret "$client_secret" \
    --grant-type "client_credentials" \
    --response-type "token" \
    --scope "$scope" \
    --token-endpoint-auth-method "client_secret_post" \
    --format json >/dev/null

  echo "INFO: client $client_id created/updated"
}

# Load client credentials
jq -c '.[]' "$CREDENTIALS_FILE" | while read -r client; do
  client_id=$(echo "$client" | jq -r '.client_id')
  client_secret=$(echo "$client" | jq -r '.client_secret')
  scope=$(echo "$client" | jq -r '.scope')
  create_client "$client_id" "$client_secret" "$scope"
done