package authjwt

import (
	"fmt"

	"github.com/golang-jwt/jwt/v5"
)

var _ Signer = (*hmacSigner)(nil)

type hmacSigner struct{ secret []byte }

// NewHMACSigner returns a Signer backed by HMAC-SHA256 (HS256).
// secret should be at least 32 bytes; shorter values are accepted but weakened.
func NewHMACSigner(secret []byte) Signer {
	return &hmacSigner{secret: secret}
}

func (s *hmacSigner) Sign(claims jwt.Claims) (string, error) {
	return jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString(s.secret)
}

func (s *hmacSigner) Verify(tokenString string) (*jwt.Token, error) {
	return jwt.Parse(tokenString, func(t *jwt.Token) (any, error) {
		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fmt.Errorf("unexpected signing method %q", t.Header["alg"])
		}
		return s.secret, nil
	}, jwt.WithJSONNumber())
}