// Package privacyidea implements the domain.MFAProvider interface by delegating
// all MFA decisions to a privacyIDEA server. KeyCape contains no MFA logic —
// every check and validation call is forwarded verbatim to privacyIDEA.
package privacyidea

import "net/http"

// Config holds all connection parameters for the privacyIDEA adapter.
type Config struct {
	// BaseURL is the privacyIDEA server base URL, e.g. "https://privacyidea.local".
	BaseURL string

	// AdminToken is the service-account JWT used to authenticate requests to the
	// privacyIDEA admin API.
	AdminToken string

	// Realm is the privacyIDEA realm to scope token and validate requests.
	// Defaults to "netkingdom" when empty.
	Realm string
}

// realm returns the effective realm, falling back to "netkingdom".
func (c Config) realm() string {
	if c.Realm != "" {
		return c.Realm
	}
	return "netkingdom"
}

// HTTPClient is a minimal interface over net/http.Client for test injection.
type HTTPClient interface {
	Do(req *http.Request) (*http.Response, error)
}

// defaultHTTPClient is the production HTTP client used when none is injected.
var defaultHTTPClient HTTPClient = &http.Client{}