import { SignJWT, jwtVerify } from "jose";

export const SESSION_COOKIE = "poc_session";

export type SessionUser = { email: string; name: string; roles: string[] };

function secret(): Uint8Array {
  return new TextEncoder().encode(
    process.env.AUTH_SECRET || "dev-insecure-secret-change-me-in-env-local",
  );
}

export async function createSessionToken(user: SessionUser): Promise<string> {
  return new SignJWT({ email: user.email, name: user.name, roles: user.roles })
    .setProtectedHeader({ alg: "HS256" })
    .setIssuedAt()
    .setExpirationTime("12h")
    .sign(secret());
}

export async function verifySessionToken(
  token?: string,
): Promise<SessionUser | null> {
  if (!token) return null;
  try {
    const { payload } = await jwtVerify(token, secret());
    const roles = Array.isArray(payload.roles) ? payload.roles.map(String) : [];
    return {
      email: String(payload.email),
      name: String(payload.name || payload.email),
      roles,
    };
  } catch {
    return null;
  }
}