class OmniauthCallbacksController < ApplicationController
  allow_unauthenticated_access only: [:oidc, :failure]

  def oidc
    auth_hash = request.env['omniauth.auth']

    user = User.from_oidc(auth_hash)

    if user
      start_new_session_for(user)
      redirect_to after_login_path, notice: "Successfully signed in via OIDC"
    else
      redirect_to new_session_path, alert: "Failed to sign in via OIDC - email not found"
    end
  end

  def failure
    redirect_to new_session_path, alert: "Authentication failed: #{params[:message]}"
  end

  private

  def after_login_path
    session.delete(:return_to_after_authenticating) || root_url
  end
end