import { ClientSecretCredential } from '@azure/identity';

const tenantId = process.env.AZURE_AD_TENANT_ID || process.env.AZURE_TENANT_ID;
const clientId = process.env.AZURE_AD_CLIENT_ID;
const clientSecret = process.env.AZURE_AD_CLIENT_SECRET;
const GRAPH_SCOPE = 'https://graph.microsoft.com/.default';

export async function getGraphAccessToken(): Promise<string> {
  if (!tenantId || !clientId || !clientSecret) {
    throw new Error('Missing Azure AD credentials. Set AZURE_AD_TENANT_ID, AZURE_AD_CLIENT_ID and AZURE_AD_CLIENT_SECRET in env');
  }

  const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
  const token = await credential.getToken(GRAPH_SCOPE);
  if (!token || !token.token) throw new Error('Failed to acquire Graph access token');
  return token.token;
}

export default getGraphAccessToken;