package authjwt

import (
	"context"
	"fmt"
	"time"

	"github.com/golang-jwt/jwt/v5"
)

// RefreshTokenPair validates refreshToken, checks the blacklist, revokes the old JTI,
// and issues a new token pair for the same uid.
// customClaims are merged into the new access token — re-fetch fresh permissions here
// so role changes take effect without revoking outstanding access tokens.
// Returns ErrTokenRevoked if the JTI is already on the blacklist (replay attack or
// re-use after rotation).
func RefreshTokenPair(ctx context.Context, signer Signer, refreshToken string, bl Blacklist, cfg TokenConfig, customClaims map[string]any) (TokenPair, error) {
	token, err := signer.Verify(refreshToken)
	if err != nil {
		return TokenPair{}, fmt.Errorf("invalid refresh token: %w", err)
	}

	claims, ok := token.Claims.(jwt.MapClaims)
	if !ok {
		return TokenPair{}, fmt.Errorf("unexpected claims type in refresh token")
	}

	jti, _ := claims["jti"].(string)
	uid, _ := claims["sub"].(string)
	if jti == "" || uid == "" {
		return TokenPair{}, fmt.Errorf("missing required claims in refresh token")
	}

	revoked, err := bl.IsRevoked(ctx, jti)
	if err != nil {
		return TokenPair{}, fmt.Errorf("blacklist check: %w", err)
	}
	if revoked {
		return TokenPair{}, ErrTokenRevoked
	}

	expTime, err := claims.GetExpirationTime()
	if err != nil || expTime == nil {
		return TokenPair{}, fmt.Errorf("invalid expiration in refresh token")
	}
	remaining := time.Until(expTime.Time)
	if remaining < time.Second {
		remaining = time.Second
	}

	if err := bl.Revoke(ctx, jti, remaining); err != nil {
		return TokenPair{}, fmt.Errorf("revoke old token: %w", err)
	}

	return IssueTokenPair(signer, uid, customClaims, cfg)
}