import type { CollectionConfig } from 'payload'
import { auditUserAfterChange, auditUserAfterDelete } from '../hooks/auditUserChanges'
import {
  auditAfterLogin,
  auditAfterLogout,
  auditAfterForgotPassword,
} from '../hooks/auditAuthEvents'

export const Users: CollectionConfig = {
  slug: 'users',
  admin: {
    useAsTitle: 'email',
  },
  auth: {
    // Cookie-Konfiguration für Production hinter Reverse-Proxy (Cloudflare/Caddy)
    cookies: {
      sameSite: 'Lax',
      secure: process.env.NODE_ENV === 'production',
      domain: undefined, // Automatisch vom Browser gesetzt
    },
    // Sicherheitseinstellungen
    lockTime: 10 * 60 * 1000, // 10 Minuten Lock nach max. Fehlversuchen
    maxLoginAttempts: 5,
    tokenExpiration: 7200, // 2 Stunden
  },
  hooks: {
    afterChange: [auditUserAfterChange],
    afterDelete: [auditUserAfterDelete],
    afterLogin: [auditAfterLogin],
    afterLogout: [auditAfterLogout],
    afterForgotPassword: [auditAfterForgotPassword],
  },
  fields: [
    {
      name: 'isSuperAdmin',
      type: 'checkbox',
      label: 'Super Admin',
      defaultValue: false,
      admin: {
        description: 'Super Admins haben Zugriff auf alle Tenants und können neue Tenants erstellen.',
        position: 'sidebar',
      },
    },
  ],
}