import jwt from 'jsonwebtoken'
import { randomUUID } from 'node:crypto'
import { UserType } from '../../src/constants.js'

/**
 * Mint a JWT that the production `authenticate` plugin will accept. Mirrors the
 * payload shape from src/services/token.service.js#signAccessToken.
 *
 * We deliberately do NOT call issueTokens (which writes an auth_sessions row) so
 * tests stay independent of that table. The access-token verification path in
 * production never reads the DB — it only validates the JWT signature + claims.
 *
 * sessionId defaults to a random UUID; pass an explicit one if a test asserts on
 * the session_id value.
 */
const sign = ({ userType, userId, sessionId = randomUUID() }) => {
  const secret = process.env.AUTH_JWT_SECRET
  if (!secret || secret.length < 32) {
    throw new Error('AUTH_JWT_SECRET missing or too short for test JWT minting')
  }
  return jwt.sign(
    { user_type: userType, session_id: sessionId },
    secret,
    {
      algorithm: 'HS256',
      expiresIn: 3600,
      subject: userId,
    },
  )
}

export const customerJwt = (userId, opts = {}) =>
  sign({ userType: UserType.CUSTOMER, userId, ...opts })

export const mitraJwt = (userId, opts = {}) =>
  sign({ userType: UserType.MITRA, userId, ...opts })

export const ccJwt = (userId, opts = {}) =>
  sign({ userType: UserType.CC_USER, userId, ...opts })

/** `Authorization: Bearer …` header builder for app.inject calls. */
export const authHeader = (token) => ({ authorization: `Bearer ${token}` })