/**
 * Shared CAPTCHA types — safe to import from BOTH server and client code
 * (contains no runtime logic, only type declarations + the field-name contract
 * exchanged between the <Captcha /> component and the server-side verifier).
 *
 * Mirrors Shopware's default-storefront CAPTCHA system (Settings → Basic
 * information → CAPTCHA, config key `core.basicInformation.activeCaptchasV2`).
 * Several CAPTCHAs can be active at once (e.g. Honeypot + reCAPTCHA), so each
 * field below is independent and ALL active ones must pass.
 */

export type CaptchaName =
  | 'honeypot'
  | 'basicCaptcha'
  | 'googleReCaptchaV2'
  | 'googleReCaptchaV3';

/**
 * The browser-safe projection of the active CAPTCHA config. NEVER contains
 * secret keys — only what the widget needs to render (site keys, flags).
 */
export interface PublicCaptchaConfig {
  /** Honeypot active — render the hidden trap field. */
  honeypot: boolean;
  /** Basic (image) captcha active — render the challenge image + input. */
  basicCaptcha: boolean;
  /** Google reCAPTCHA v2 active, with its public site key + invisible flag. */
  googleReCaptchaV2: { siteKey: string; invisible: boolean } | null;
  /** Google reCAPTCHA v3 active, with its public site key. */
  googleReCaptchaV3: { siteKey: string } | null;
}

/** The values the <Captcha /> component collects and submits for verification. */
export interface CaptchaPayload {
  /** Honeypot trap — must stay empty; bots tend to fill it. */
  honeypot?: string;
  /** Basic captcha: the user's answer + the HMAC-signed challenge token. */
  basicCaptchaAnswer?: string;
  basicCaptchaToken?: string;
  /** Google reCAPTCHA v2 response token. */
  recaptchaV2Token?: string;
  /** Google reCAPTCHA v3 response token. */
  recaptchaV3Token?: string;
}

/** Keys that belong to the CAPTCHA payload — used to split form bodies. */
export const CAPTCHA_PAYLOAD_KEYS: (keyof CaptchaPayload)[] = [
  'honeypot',
  'basicCaptchaAnswer',
  'basicCaptchaToken',
  'recaptchaV2Token',
  'recaptchaV3Token',
];