# Copyright (c) 2025 Patrick Motsch
# All rights reserved.
"""OAuth scope sets for split Auth- vs Data-apps (Google / Microsoft)."""

# Google — Auth app only (no Gmail/Drive API scopes)
googleAuthScopes = [
    "openid",
    "https://www.googleapis.com/auth/userinfo.email",
    "https://www.googleapis.com/auth/userinfo.profile",
]

# Google — Data app (Gmail + Drive + Calendar + Contacts + identity for token responses)
googleDataScopes = [
    "openid",
    "https://www.googleapis.com/auth/userinfo.email",
    "https://www.googleapis.com/auth/userinfo.profile",
    "https://www.googleapis.com/auth/gmail.readonly",
    "https://www.googleapis.com/auth/drive.readonly",
    "https://www.googleapis.com/auth/calendar.readonly",
    "https://www.googleapis.com/auth/contacts.readonly",
]

# Microsoft — Auth app: Graph profile only (MSAL adds openid, profile, offline_access, …)
msftAuthScopes = [
    "User.Read",
]

# Microsoft — Data app (delegated; requires admin consent for several)
msftDataScopes = [
    "User.Read",
    "Mail.ReadWrite",
    "Mail.Send",
    "Files.ReadWrite.All",
    "Sites.ReadWrite.All",
    "Team.ReadBasic.All",
    "OnlineMeetings.Read",
    "Chat.ReadWrite",
    "ChatMessage.Send",
    "Calendars.Read",
    "Contacts.Read",
]


def msftDataScopesForRefresh() -> str:
    """Space-separated scope string identical to authorization request (Token v2 refresh)."""
    return " ".join(msftDataScopes)


# Infomaniak intentionally has no OAuth scope set: the kDrive + Mail data APIs
# are only reachable with manually issued Personal Access Tokens (see
# wiki/d-guides/infomaniak-token-setup.md). The OAuth /authorize endpoint at
# login.infomaniak.com only accepts identity scopes (openid/profile/email/phone)
# and does not return tokens that work against /1/* data routes.