const jwt = require('jsonwebtoken');

const SECRET = process.env.JWT_SECRET;
const EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d';

/**
 * Firma un JWT per l'utente e la sessione.
 * Payload: { sub: userId, username, session_id }
 */
function sign(user, sessionId) {
    return jwt.sign(
        { sub: user.id, username: user.username, session_id: sessionId },
        SECRET,
        { algorithm: 'HS256', expiresIn: EXPIRES_IN }
    );
}

/**
 * Verifica e decodifica un token.
 * @returns {{ valid: boolean, payload?: Object, reason?: string }}
 */
function verify(token) {
    try {
        const p = jwt.verify(token, SECRET, { algorithms: ['HS256'] });
        return {
            valid: true,
            payload: {
                user_id: p.sub,
                username: p.username,
                session_id: p.session_id,
                iat: p.iat,
                exp: p.exp
            }
        };
    } catch (err) {
        return {
            valid: false,
            reason: err.name === 'TokenExpiredError' ? 'expired' : 'invalid'
        };
    }
}

/**
 * Estrae il token da un header Authorization: Bearer <token>.
 */
function bearer(header) {
    if (!header || typeof header !== 'string') return null;
    const [scheme, token] = header.split(' ');
    return scheme && scheme.toLowerCase() === 'bearer' && token ? token : null;
}

module.exports = { sign, verify, bearer };