// Package webauthn provides the adapter between the go-webauthn library and
// MCIAS internal types. It handles WebAuthn instance configuration and
// encryption/decryption of credential material stored in the database.
package webauthn

import (
	"fmt"

	"github.com/go-webauthn/webauthn/webauthn"

	"git.wntrmute.dev/kyle/mcias/internal/config"
)

// NewWebAuthn creates a configured go-webauthn instance from MCIAS config.
func NewWebAuthn(cfg *config.WebAuthnConfig) (*webauthn.WebAuthn, error) {
	if cfg.RPID == "" || cfg.RPOrigin == "" {
		return nil, fmt.Errorf("webauthn: RPID and RPOrigin are required")
	}
	displayName := cfg.DisplayName
	if displayName == "" {
		displayName = "MCIAS"
	}
	return webauthn.New(&webauthn.Config{
		RPID:          cfg.RPID,
		RPDisplayName: displayName,
		RPOrigins:     []string{cfg.RPOrigin},
	})
}