package com.vincent.rsf.openApi.service.impl;

import com.vincent.rsf.openApi.entity.constant.Constants;
import com.vincent.rsf.openApi.security.service.AppAuthService;
import com.vincent.rsf.openApi.service.TokenService;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.Keys;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;

import javax.crypto.SecretKey;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;

/**
 * 对接 Token：JWT（密钥来自配置，重启后同一密钥仍可校验未过期 token；claims 仅含 appId）
 */
@Slf4j
@Service
public class TokenServiceImpl implements TokenService {

    private static final String CLAIM_APP_ID = "appId";

    private final AppAuthService appAuthService;
    private final SecretKey secretKey;
    private final long expireMs;

    @Autowired
    public TokenServiceImpl(
            AppAuthService appAuthService,
            @Value("${open-api.jwt.secret:}") String jwtSecret,
            @Value("${open-api.jwt.expire-seconds:3600}") long expireSeconds) {
        this.appAuthService = appAuthService;
        if (!StringUtils.hasText(jwtSecret)) {
            throw new IllegalStateException("请配置 open-api.jwt.secret（HS256，建议至少 32 字符或使用环境变量覆盖）");
        }
        this.secretKey = hmacSha256Key(jwtSecret.trim());
        this.expireMs = expireSeconds * 1000L;
    }

    /** 短字符串用 SHA-256 派生 32 字节以满足 HS256 */
    private static SecretKey hmacSha256Key(String secret) {
        byte[] bytes = secret.getBytes(StandardCharsets.UTF_8);
        if (bytes.length < 32) {
            try {
                MessageDigest md = MessageDigest.getInstance("SHA-256");
                bytes = md.digest(bytes);
            } catch (Exception e) {
                throw new IllegalStateException(e);
            }
        }
        return Keys.hmacShaKeyFor(bytes);
    }

    @Override
    public String issueToken(String appId, String appSecret) {
        if (!StringUtils.hasText(appId) || !StringUtils.hasText(appSecret)) {
            return null;
        }
        if (!appAuthService.validateApp(appId, appSecret)) {
            return null;
        }
        long now = System.currentTimeMillis();
        Map<String, Object> claims = new HashMap<>();
        claims.put(CLAIM_APP_ID, appId);
        String compact = Jwts.builder()
                .setClaims(claims)
                .setIssuedAt(new Date(now))
                .setExpiration(new Date(now + expireMs))
                .signWith(secretKey, SignatureAlgorithm.HS256)
                .compact();
        return Constants.TOKEN_PREFIX + compact;
    }

    @Override
    public boolean validateToken(String token) {
        return getAppIdIfValid(token) != null;
    }

    @Override
    public String getAppIdIfValid(String rawToken) {
        if (!StringUtils.hasText(rawToken)) {
            return null;
        }
        try {
            Claims claims = Jwts.parserBuilder()
                    .setSigningKey(secretKey)
                    .build()
                    .parseClaimsJws(rawToken)
                    .getBody();
            Date exp = claims.getExpiration();
            if (exp == null || exp.before(new Date())) {
                return null;
            }
            Object appId = claims.get(CLAIM_APP_ID);
            return appId != null ? appId.toString() : null;
        } catch (JwtException e) {
            log.debug("JWT 校验失败: {}", e.getMessage());
            return null;
        }
    }
}