/**
 * Read auth config from env. Returns only non-secret data for client.
 * Auth always allows local (password) sign-in and OIDC when configured.
 * @returns {{ oidc: { enabled: boolean, label: string } }} Public auth config (oidc.enabled, oidc.label).
 */
export function getAuthConfig() {
  const hasOidcEnv
    = process.env.OIDC_ISSUER && process.env.OIDC_CLIENT_ID && process.env.OIDC_CLIENT_SECRET
  const envLabel = process.env.OIDC_LABEL ?? ''
  const label = envLabel || (hasOidcEnv ? 'Sign in with OIDC' : '')
  return {
    oidc: {
      enabled: !!hasOidcEnv,
      label,
    },
  }
}