use axum_extra::extract::cookie;

/// Show a login page.
async fn get() {
    todo!()
}

/// Accept login and start the IndieAuth dance.
async fn post() {
    todo!()
}

/// Accept the return of the IndieAuth dance. Set a cookie for the
/// required session.
async fn callback() {
    todo!()
}

/// Show the form necessary for logout. If JS is enabled,
/// automatically POST the form.
///
/// This is essentially protection from CSRF and also from some kind
/// of crawlers working with a user's cookies (wget?). If a crawler is
/// stupid enough to execute JS and send a POST request though, that's
/// on the crawler.
async fn logout_page() {
    todo!()
}

/// Erase the necessary cookies for login and invalidate the session.
async fn logout() {
    todo!()
}

/// Produce a router for all of the above.
fn router(key: cookie::Key) -> axum::routing::Router<cookie::Key> {
    axum::routing::Router::new()
        .route("/start", axum::routing::get(get).post(post))
        .route("/finish", axum::routing::get(callback))
        .route("/logout", axum::routing::get(logout_page).post(logout))
        // I'll need some kind of session store here too. It should be
        // a key from UUIDs (128 bits is enough for a session token)
        // to at least a URL, if not something more.
        .with_state(key)
}