# Copyright (c) 2025 Patrick Motsch
# All rights reserved.
"""OAuth scope sets for split Auth- vs Data-apps (Google / Microsoft)."""

# Google — Auth app only (no Gmail/Drive API scopes)
googleAuthScopes = [
    "openid",
    "https://www.googleapis.com/auth/userinfo.email",
    "https://www.googleapis.com/auth/userinfo.profile",
]

# Google — Data app (Gmail + Drive + identity for token responses)
googleDataScopes = [
    "openid",
    "https://www.googleapis.com/auth/userinfo.email",
    "https://www.googleapis.com/auth/userinfo.profile",
    "https://www.googleapis.com/auth/gmail.readonly",
    "https://www.googleapis.com/auth/drive.readonly",
]

# Microsoft — Auth app: Graph profile only (MSAL adds openid, profile, offline_access, …)
msftAuthScopes = [
    "User.Read",
]

# Microsoft — Data app (delegated; requires admin consent for several)
msftDataScopes = [
    "User.Read",
    "Mail.ReadWrite",
    "Mail.Send",
    "Files.ReadWrite.All",
    "Sites.ReadWrite.All",
    "Team.ReadBasic.All",
    "OnlineMeetings.Read",
    "Chat.ReadWrite",
    "ChatMessage.Send",
]


def msftDataScopesForRefresh() -> str:
    """Space-separated scope string identical to authorization request (Token v2 refresh)."""
    return " ".join(msftDataScopes)


# Infomaniak — Data app (kDrive + Mail; user_info needed for /1/profile lookup)
infomaniakDataScopes = [
    "user_info",
    "kdrive",
    "mail",
]


def infomaniakDataScopesForRefresh() -> str:
    """Space-separated scope string identical to authorization request."""
    return " ".join(infomaniakDataScopes)