import { createHash, timingSafeEqual } from "node:crypto";

export const DEMO_ACCESS_COOKIE = "evolia_demo_access";

function getRequiredEnv(name: string) {
  const value = process.env[name]?.trim();

  if (!value) {
    throw new Error(
      `La variable d'environnement ${name} est requise pour le mode demo.`,
    );
  }

  return value;
}

export function getDemoAccessPassword() {
  return getRequiredEnv("DEMO_ACCESS_PASSWORD");
}

export function getDemoAccessCookieValue() {
  return createHash("sha256")
    .update(`evolia-demo:${getDemoAccessPassword()}`)
    .digest("hex");
}

export function getDemoAccessCookieOptions() {
  return {
    httpOnly: true,
    sameSite: "lax" as const,
    secure: process.env.NODE_ENV === "production",
    path: "/",
  };
}

export function passwordMatchesDemoAccess(input: string) {
  const expected = Buffer.from(getDemoAccessPassword(), "utf8");
  const received = Buffer.from(input, "utf8");

  if (expected.length !== received.length) {
    return false;
  }

  return timingSafeEqual(expected, received);
}

export function hasValidDemoAccessCookie(value: string | null | undefined) {
  if (!value) {
    return false;
  }

  return value === getDemoAccessCookieValue();
}

export function getSafeRedirectPath(next: string | null | undefined) {
  if (!next || !next.startsWith("/") || next.startsWith("//")) {
    return "/";
  }

  return next;
}