package jwt

import (
	"time"

	"github.com/golang-jwt/jwt"
	"github.com/google/uuid"
	"github.com/pkg/errors"
)

// Generates an access token for the provided subject
func (gen *TokenGenerator) NewAccess(
	subjectID int,
	fresh bool,
	rememberMe bool,
) (tokenString string, expiresIn int64, err error) {
	issuedAt := time.Now().Unix()
	expiresAt := issuedAt + (gen.accessExpireAfter * 60)
	var freshExpiresAt int64
	if fresh {
		freshExpiresAt = issuedAt + (gen.freshExpireAfter * 60)
	} else {
		freshExpiresAt = issuedAt
	}
	var ttl string
	if rememberMe {
		ttl = "exp"
	} else {
		ttl = "session"
	}
	token := jwt.NewWithClaims(jwt.SigningMethodHS256,
		jwt.MapClaims{
			"iss":   gen.trustedHost,
			"scope": "access",
			"ttl":   ttl,
			"jti":   uuid.New(),
			"iat":   issuedAt,
			"exp":   expiresAt,
			"fresh": freshExpiresAt,
			"sub":   subjectID,
		})

	signedToken, err := token.SignedString([]byte(gen.secretKey))
	if err != nil {
		return "", 0, errors.Wrap(err, "token.SignedString")
	}
	return signedToken, expiresAt, nil
}

// Generates a refresh token for the provided user
func (gen *TokenGenerator) NewRefresh(
	subjectID int,
	rememberMe bool,
) (tokenStr string, exp int64, err error) {
	issuedAt := time.Now().Unix()
	expiresAt := issuedAt + (gen.refreshExpireAfter * 60)
	var ttl string
	if rememberMe {
		ttl = "exp"
	} else {
		ttl = "session"
	}
	token := jwt.NewWithClaims(jwt.SigningMethodHS256,
		jwt.MapClaims{
			"iss":   gen.trustedHost,
			"scope": "refresh",
			"ttl":   ttl,
			"jti":   uuid.New(),
			"iat":   issuedAt,
			"exp":   expiresAt,
			"sub":   subjectID,
		})

	signedToken, err := token.SignedString([]byte(gen.secretKey))
	if err != nil {
		return "", 0, errors.Wrap(err, "token.SignedString")
	}
	return signedToken, expiresAt, nil
}