"""
Fields with @internal may only be queried from 
internal systems and are not exposed to 3rd-party
api clients.
"""
directive @internal on FIELD_DEFINITION

"""
Fields with @feToken require an frontend token
to be submitted with the request.
"""
directive @feToken on FIELD_DEFINITION

"""
Fields with @self may only be queried when queried
directly by the actor represented by the object.
"""
directive @self on FIELD_DEFINITION

enum SecondFactorType {
  TOTP
  # WEBAUTHN
}

type SecondFactor {
  enabled: Boolean!
  name: String!
  type: SecondFactorType!
}

type User implements Node {
  id: ID!
  username: String!
  email: String!
  secondFactors: [SecondFactor!]! @self
}

union Actor = User

enum SessionState {
  EMPTY
  UNAUTHENTICATED
  AWAITING_FACTOR
  AUTHENTICATED_PENDING
  AUTHENTICATED_FULLY
  AUTHENTICATED_PASSWORD_CHANGE
  AUTHENTICATED_2FA_ENROLL
  AUTHENTICATED_REVIEW_TOS
  AUTHENTICATED_REVIEW_RECOVERY
}

type FeSession implements Node {
  id: ID!
  state: SessionState!
}

type Query {
  self: Actor!

  user(id: ID!): User!
  authFeSession(id: ID!): FeSession! @internal @feToken

  node(id: ID!): Node!
}

type Mutation {
  authFeSessionCreate: FeSession! @internal @feToken
  authFeSessionIdentify(session: ID!, identification: String!): FeSession! @internal @feToken
  authFeSessionPassword(session: ID!, password: String!): FeSession! @internal @feToken
  authFeSessionTOTP(session: ID!, totp: String!): FeSession! @internal @feToken
  authFeSessionLock(session: ID!): FeSession! @internal @feToken
  authFeSessionLogout(session: ID!): FeSession! @internal @feToken

  authFeTokenCreate: String!
}

interface Node {
  id: ID!
}