from datetime import timedelta

from aws_lambda_powertools.event_handler.exceptions import ForbiddenError
from jose import ExpiredSignatureError, JWTError, jwt
from layercake.dateutils import now

from config import (
    ISSUER,
    JWT_ALGORITHM,
    JWT_EXP_SECONDS,
    JWT_SECRET,
    REFRESH_TOKEN_EXP_SECONDS,
)


def generate_jwt(user_id: str, email: str) -> str:
    now_ = now()
    payload = {
        'sub': user_id,
        'email': email,
        'iat': int(now_.timestamp()),
        'exp': int((now_ + timedelta(seconds=JWT_EXP_SECONDS)).timestamp()),
        'iss': ISSUER,
    }
    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)


def generate_refresh_token(user_id: str) -> str:
    now_ = now()
    payload = {
        'sub': user_id,
        'iat': int(now_.timestamp()),
        'exp': int((now_ + timedelta(seconds=REFRESH_TOKEN_EXP_SECONDS)).timestamp()),
        'iss': ISSUER,
        'typ': 'refresh',
    }
    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)


def verify_jwt(token: str) -> dict:
    try:
        payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
        return payload
    except ExpiredSignatureError:
        raise ForbiddenError('Token expired')
    except JWTError:
        raise ForbiddenError('Invalid token')