import jwt, { type SignOptions } from "jsonwebtoken";
import type { JWTPayload } from "../types/user.js";
import { UserRole } from "../types/user.js";
import { logger } from "../monitoring/logger.js";

const JWT_SECRET: string =
  process.env["JWT_SECRET"] || "your-secret-key-change-in-production";
const JWT_EXPIRES_IN: string = process.env["JWT_EXPIRES_IN"] || "7d";

/**
 * Erstellt ein JWT Token für einen User
 */
export function createToken(payload: JWTPayload): string {
  return jwt.sign(payload, JWT_SECRET, {
    expiresIn: JWT_EXPIRES_IN,
  } as SignOptions);
}

/**
 * Verifiziert ein JWT Token
 */
export function verifyToken(token: string): JWTPayload | null {
  try {
    const decoded = jwt.verify(token, JWT_SECRET) as JWTPayload;
    return decoded;
  } catch (error) {
    logger.warn("JWT verification failed", { error });
    return null;
  }
}

/**
 * Extrahiert Token aus Authorization Header
 */
export function extractTokenFromHeader(
  authHeader: string | null
): string | null {
  if (!authHeader) return null;

  // Format: "Bearer <token>"
  const parts = authHeader.split(" ");
  if (parts.length !== 2 || parts[0] !== "Bearer") {
    return null;
  }

  return parts[1] ?? null;
}

/**
 * Prüft ob User eine bestimmte Rolle hat
 */
export function hasRole(
  userRole: UserRole,
  requiredRoles: UserRole[]
): boolean {
  return requiredRoles.includes(userRole);
}

/**
 * Prüft ob User Admin ist
 */
export function isAdmin(userRole: UserRole): boolean {
  return userRole === UserRole.ADMIN;
}