import crypto from 'crypto';

const JWT_SECRET = process.env.JWT_SECRET!;
const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;

export function signPayload(payload: object, expiresIn = '7d'): string {
  const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url');
  const now = Math.floor(Date.now() / 1000);
  
  let exp = now;
  switch (expiresIn) {
    case '15m': exp = now + 15 * 60; break;
    case '7d': exp = now + 7 * 24 * 60 * 60; break;
    case '30d': exp = now + 30 * 24 * 60 * 60; break;
  }
  
  const data = Buffer.from(JSON.stringify({ ...payload, iat: now, exp })).toString('base64url');
  const signature = crypto.createHmac('sha256', JWT_SECRET).update(`${header}.${data}`).digest('base64url');
  
  return `${header}.${data}.${signature}`;
}

export function verifyToken(token: string): object | null {
  try {
    const [header, payload, signature] = token.split('.');
    const expectedSig = crypto.createHmac('sha256', JWT_SECRET)
      .update(`${header}.${payload}`)
      .digest('base64url');
    
    if (signature !== expectedSig) return null;
    
    const data = JSON.parse(Buffer.from(payload, 'base64url').toString());
    if (data.exp && Math.floor(Date.now() / 1000) > data.exp) return null;
    
    return data;
  } catch {
    return null;
  }
}

export function generateRefreshToken(): string {
  return crypto.randomBytes(64).toString('hex');
}

export function hashPassword(password: string): string {
  return crypto.createHmac('sha256', JWT_SECRET).update(password).digest('hex');
}