package authjwt

import (
	"context"
	"errors"
	"time"
)

// ErrTokenRevoked is returned by RefreshTokenPair when the JTI is on the blacklist.
// Use errors.Is(err, authjwt.ErrTokenRevoked) to distinguish replay attacks from
// infrastructure errors.
var ErrTokenRevoked = errors.New("token revoked")

// Blacklist records and checks revoked refresh token JTIs.
// Satisfied by einherjar/cache-valkey via duck typing.
// TTL on Revoke should match the token's remaining lifetime so entries expire naturally.
type Blacklist interface {
	IsRevoked(ctx context.Context, jti string) (bool, error)
	Revoke(ctx context.Context, jti string, ttl time.Duration) error
}