import { createHmac, timingSafeEqual } from 'node:crypto'

/** POST /api/room/dashboard/create-live-input 須帶此 header */
export const DASHBOARD_API_HASH_HEADER = 'x-hash'

export const CREATE_LIVE_INPUT_HASH_ACTION = 'create-live-input'

const TOKEN_TTL_SEC = 300

/** 與 WS 伺服器、wsCrypto 使用相同 secret 來源，避免 SSR 與 API 驗證不一致 */
function getApiHashSecret(): string {
    return String(
        process.env.API_HASH_SECRET ??
            process.env.WS_SECRET ??
            process.env.NEXT_PUBLIC_WS_SECRET ??
            'gp-live-ws-key'
    ).trim()
}

/** 產生帶過期時間的請求 hash（僅伺服器產生，由 Dashboard SSR 傳給前端） */
export function createDashboardActionHash(userId: string, action: string): string {
    const secret = getApiHashSecret()
    const uid = String(userId ?? '').trim()
    const act = String(action ?? '').trim()
    if (!secret || !uid || !act) return ''

    const expiresAt = Math.floor(Date.now() / 1000) + TOKEN_TTL_SEC
    const message = `${uid}:${act}:${expiresAt}`
    const signature = createHmac('sha256', secret).update(message).digest('hex')
    return `${expiresAt}.${signature}`
}

export function verifyDashboardActionHash(
    userId: string,
    action: string,
    token: string
): boolean {
    const secret = getApiHashSecret()
    const uid = String(userId ?? '').trim()
    const act = String(action ?? '').trim()
    const raw = String(token ?? '').trim()
    if (!secret || !uid || !act || !raw) return false

    const dot = raw.indexOf('.')
    if (dot <= 0) return false

    const expiresAt = Number(raw.slice(0, dot))
    const signature = raw.slice(dot + 1)
    if (!Number.isFinite(expiresAt) || !/^[a-f0-9]{64}$/i.test(signature)) {
        return false
    }
    if (expiresAt < Math.floor(Date.now() / 1000)) return false

    const message = `${uid}:${act}:${expiresAt}`
    const expected = createHmac('sha256', secret).update(message).digest('hex')

    try {
        return timingSafeEqual(Buffer.from(signature, 'hex'), Buffer.from(expected, 'hex'))
    } catch {
        return false
    }
}
