import { getThalosAuthBaseUrl, getThalosDefaultReturnUrl, getThalosDefaultTenantId } from '../api/client';

export function buildGoogleOidcStartUrl(returnUrl = window.location.href, tenantId = getThalosDefaultTenantId()): string {
  const authBase = getThalosAuthBaseUrl().replace(/\/+$/, '');
  const safeReturnUrl = sanitizeReturnUrl(returnUrl);
  const query = new URLSearchParams({
    returnUrl: safeReturnUrl,
    tenantId
  });

  return `${authBase}/api/identity/oidc/google/start?${query.toString()}`;
}

function sanitizeReturnUrl(rawReturnUrl: string): string {
  try {
    const parsed = new URL(rawReturnUrl);
    if (parsed.protocol === 'https:' || parsed.protocol === 'http:') {
      return parsed.toString();
    }
  } catch {
    return getThalosDefaultReturnUrl();
  }

  return getThalosDefaultReturnUrl();
}