// token.ts
//
// Token generation and hashing utilities for authentication.
// Raw tokens are never stored - only their SHA-256 hashes.

import { createHash, randomBytes } from "node:crypto";

const TOKEN_BYTES = 32; // 256 bits of entropy

// Generate a cryptographically secure random token
function generateToken(): string {
    return randomBytes(TOKEN_BYTES).toString("base64url");
}

// Hash token for storage (never store raw tokens)
function hashToken(token: string): string {
    return createHash("sha256").update(token).digest("hex");
}

// Parse token from Authorization header
function parseAuthorizationHeader(header: string | undefined): string | null {
    if (!header) {
        return null;
    }

    const parts = header.split(" ");
    if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
        return null;
    }

    return parts[1];
}

// Cookie name for web sessions
const SESSION_COOKIE_NAME = "diachron_session";

export {
    generateToken,
    hashToken,
    parseAuthorizationHeader,
    SESSION_COOKIE_NAME,
};