import { createHash, timingSafeEqual } from 'node:crypto'

const WS_AUTH_PROTOCOL_PREFIX = 'rcs.auth.'

function sha256(value: string): Buffer {
  return createHash('sha256').update(value).digest()
}

export function encodeWebSocketAuthProtocol(token: string): string {
  return `${WS_AUTH_PROTOCOL_PREFIX}${Buffer.from(token, 'utf8').toString('base64url')}`
}

export function decodeWebSocketAuthProtocol(
  protocolHeader: string | undefined,
): string | undefined {
  if (!protocolHeader) {
    return undefined
  }

  for (const protocol of protocolHeader.split(',')) {
    const trimmed = protocol.trim()
    if (!trimmed.startsWith(WS_AUTH_PROTOCOL_PREFIX)) {
      continue
    }

    const encoded = trimmed.slice(WS_AUTH_PROTOCOL_PREFIX.length)
    if (!encoded) {
      return undefined
    }

    try {
      const token = Buffer.from(encoded, 'base64url').toString('utf8')
      return token.length > 0 ? token : undefined
    } catch {
      return undefined
    }
  }

  return undefined
}

export function extractBearerToken(
  authorizationHeader: string | undefined,
): string | undefined {
  return authorizationHeader?.startsWith('Bearer ')
    ? authorizationHeader.slice('Bearer '.length)
    : undefined
}

export function extractWebSocketAuthToken(headers: {
  authorization?: string
  protocol?: string
}): string | undefined {
  return (
    extractBearerToken(headers.authorization) ??
    decodeWebSocketAuthProtocol(headers.protocol)
  )
}

export function authTokensEqual(
  providedToken: string | undefined,
  expectedToken: string | undefined,
): boolean {
  if (!providedToken || !expectedToken) {
    return false
  }
  return timingSafeEqual(sha256(providedToken), sha256(expectedToken))
}