<?php

namespace App\Services\Providers;

use App\Models\ProviderConnection;
use RuntimeException;

final class AdminConsentUrlFactory
{
    public function __construct(
        private readonly ProviderIdentityResolver $identityResolver,
    ) {}

    public function make(ProviderConnection $connection, string $state): string
    {
        $normalizedState = trim($state);

        if ($normalizedState === '') {
            throw new RuntimeException('Consent state is required.');
        }

        $resolution = $this->identityResolver->resolve($connection);

        if (! $resolution->resolved || $resolution->effectiveClientId === null || $resolution->redirectUri === null) {
            throw new RuntimeException($resolution->message ?? 'Provider identity could not be resolved for admin consent.');
        }

        $tenantSegment = trim($resolution->tenantContext) !== '' ? trim($resolution->tenantContext) : 'organizations';

        return "https://login.microsoftonline.com/{$tenantSegment}/v2.0/adminconsent?".http_build_query([
            'client_id' => $resolution->effectiveClientId,
            'redirect_uri' => $resolution->redirectUri,
            'scope' => (string) config('graph.scope', 'https://graph.microsoft.com/.default'),
            'state' => $normalizedState,
        ]);
    }
}