/**
 * Migration: Add session and role mapping configuration to tenants
 * Adds session_timeout, require_mfa, allow_concurrent_sessions, and role_mappings fields
 */

'use strict';

module.exports = {
  up: async (queryInterface, Sequelize) => {
    // Add session configuration fields
    await queryInterface.addColumn('tenants', 'session_timeout', {
      type: Sequelize.INTEGER,
      defaultValue: 480, // 8 hours in minutes
      allowNull: false,
      comment: 'Session timeout in minutes'
    });

    await queryInterface.addColumn('tenants', 'require_mfa', {
      type: Sequelize.BOOLEAN,
      defaultValue: false,
      allowNull: false,
      comment: 'Whether multi-factor authentication is required'
    });

    await queryInterface.addColumn('tenants', 'allow_concurrent_sessions', {
      type: Sequelize.BOOLEAN,
      defaultValue: true,
      allowNull: false,
      comment: 'Whether users can have multiple concurrent sessions'
    });

    await queryInterface.addColumn('tenants', 'role_mappings', {
      type: Sequelize.JSONB,
      allowNull: true,
      comment: 'Mapping of external groups/attributes to system roles'
    });

    // Update auth_provider enum to include 'ad'
    await queryInterface.sequelize.query(`
      ALTER TYPE "enum_tenants_auth_provider" ADD VALUE 'ad';
    `);
  },

  down: async (queryInterface, Sequelize) => {
    // Remove the added columns
    await queryInterface.removeColumn('tenants', 'session_timeout');
    await queryInterface.removeColumn('tenants', 'require_mfa');
    await queryInterface.removeColumn('tenants', 'allow_concurrent_sessions');
    await queryInterface.removeColumn('tenants', 'role_mappings');

    // Note: Removing enum values is complex in PostgreSQL and typically not done in production
    // The 'ad' value will remain in the enum even after this rollback
  }
};