- id: anonymous-rest-auth
  upstream:
    url: "http://bats-tests:4012"
  match:
    url: "<(http|https)>://<[a-zA-Z0-9-.:]+>/auth/<.*>"
    methods: ["GET", "POST", "OPTIONS"]
  authenticators:
    - handler: jwt
      config:
        trusted_issuers:
          - https://firebaseappcheck.googleapis.com/72279297366
        target_audience:
          - projects/72279297366
        jwks_urls:
          - https://firebaseappcheck.googleapis.com/v1beta/jwks
          - file:///home/ory/jwks.json # ONLY FOR DEV, DO NOT USE IN PRODUCTION
        token_from:
          header: Appcheck
    - handler: anonymous
  authorizer:
    handler: allow
  mutators:
    - handler: header
      config:
        headers:
          X-Appcheck-Jti: "{{ print .Extra.jti }}"

- id: galoy-ws
  upstream:
    url: "http://bats-tests:4000/graphql"
    strip_path: /graphqlws # ONLY FOR DEV, in prod should resolve to /graphql, like ws.blink.sv/graphql
  match:
    url: "<(http|https)>://<[a-zA-Z0-9-.:]+>/graphqlws" # ONLY FOR DEV, in prod should resolve to /graphql
    methods: ["POST", "GET"]
  authenticators:
    - handler: noop
  authorizer:
    handler: allow
  mutators:
    - handler: noop

- id: galoy-backend
  upstream:
    url: "http://apollo-router:4004"
  match:
    url: "<(http|https)>://<[a-zA-Z0-9-.:]+>/graphql"
    methods: ["POST", "GET", "OPTIONS"]
  authenticators:
    - handler: oauth2_introspection
      config:
        introspection_url: http://hydra:4445/admin/oauth2/introspect
        token_from:
          header: Oauth2-Token

    - handler: bearer_token
      config:
        token_from:
          header: X-API-KEY
        forward_http_headers:
        - "X-API-KEY"
        check_session_url: "http://bats-tests:5397/auth/check"
        force_method: GET
        preserve_path: true
        preserve_query: true
        subject_from: sub
        extra_from: "@this"
    - handler: bearer_token
      config:
        check_session_url: http://kratos:4433/sessions/whoami
        preserve_path: true
        preserve_query: true
        subject_from: identity.id
        extra_from: "@this"

    - handler: anonymous
  authorizer:
    handler: allow
  mutators:
    - handler: id_token
      config: #! TODO: add aud: {"aud": ["https://api/graphql"] }
        claims: '{"sub": "{{ print .Subject }}", "session_id": "{{ print .Extra.id }}", "expires_at": "{{ print .Extra.expires_at }}", "scope": "{{ print .Extra.scope }}", "client_id": "{{ print .Extra.client_id }}"}'

- id: admin-backend
  upstream:
    url: "http://bats-tests:4001"
    strip_path: /admin
  match:
    url: "<(http|https)>://<.*><[0-9]+>/admin<.*>"
    methods: ["GET", "POST", "OPTIONS"]
  authenticators:
    - handler: cookie_session
      config:
        check_session_url: http://host.docker.internal:3002/api/auth/session
        preserve_path: true
        preserve_query: true
        subject_from: user.email
        extra_from: "@this"
        force_method: "GET"
    - handler: oauth2_introspection
      config:
        introspection_url: http://hydra:4445/admin/oauth2/introspect
        token_from:
          header: Oauth2-Token
  authorizer:
    handler: allow
  mutators:
    - handler: id_token
      config: #! TODO: add aud: {"aud": ["https://api/admin/graphql"] }
        claims: '{"sub": "{{ print .Subject }}", "scope": "{{ print .Extra.scope }}" }'