import bcrypt from 'bcryptjs';
import crypto from 'crypto';

/**
 * Hashuje heslo pomocou bcrypt
 * @param {string} password - Plain text heslo
 * @returns {Promise<string>} Hashované heslo
 */
export const hashPassword = async (password) => {
  const rounds = parseInt(process.env.BCRYPT_ROUNDS) || 12;
  return bcrypt.hash(password, rounds);
};

/**
 * Porovná plain text heslo s hash
 * @param {string} password - Plain text heslo
 * @param {string} hash - Hashované heslo
 * @returns {Promise<boolean>} True ak sa zhodujú
 */
export const comparePassword = async (password, hash) => {
  return bcrypt.compare(password, hash);
};

/**
 * Generuje náhodné dočasné heslo
 * @param {number} length - Dĺžka hesla (default: 12)
 * @returns {string} Náhodné heslo
 */
export const generateTempPassword = (length = 12) => {
  const uppercase = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
  const lowercase = 'abcdefghijklmnopqrstuvwxyz';
  const numbers = '0123456789';
  const special = '!@#$%^&*';
  const all = uppercase + lowercase + numbers + special;

  let password = '';

  // Zaručí aspoň jeden znak z každej kategórie
  password += uppercase[Math.floor(Math.random() * uppercase.length)];
  password += lowercase[Math.floor(Math.random() * lowercase.length)];
  password += numbers[Math.floor(Math.random() * numbers.length)];
  password += special[Math.floor(Math.random() * special.length)];

  // Zvyšok náhodne
  for (let i = password.length; i < length; i++) {
    password += all[Math.floor(Math.random() * all.length)];
  }

  // Zamieša znaky
  return password
    .split('')
    .sort(() => Math.random() - 0.5)
    .join('');
};

/**
 * Generuje náhodný verification token
 * @returns {string} UUID token
 */
export const generateVerificationToken = () => {
  return crypto.randomUUID();
};

/**
 * Encrypt emailPassword using AES-256-GCM
 * @param {string} text - Plain text password
 * @returns {string} Encrypted password in format: iv:authTag:encrypted
 */
export const encryptPassword = (text) => {
  if (!process.env.JWT_SECRET) {
    throw new Error('JWT_SECRET environment variable is required for password encryption');
  }

  const algorithm = 'aes-256-gcm';
  const key = crypto.scryptSync(process.env.JWT_SECRET, 'salt', 32);
  const iv = crypto.randomBytes(16);

  const cipher = crypto.createCipheriv(algorithm, key, iv);
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');

  const authTag = cipher.getAuthTag();

  return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
};

/**
 * Decrypt emailPassword
 * @param {string} encryptedText - Encrypted password in format: iv:authTag:encrypted
 * @returns {string} Plain text password
 */
export const decryptPassword = (encryptedText) => {
  if (!process.env.JWT_SECRET) {
    throw new Error('JWT_SECRET environment variable is required for password decryption');
  }

  const algorithm = 'aes-256-gcm';
  const key = crypto.scryptSync(process.env.JWT_SECRET, 'salt', 32);

  const parts = encryptedText.split(':');
  const iv = Buffer.from(parts[0], 'hex');
  const authTag = Buffer.from(parts[1], 'hex');
  const encrypted = parts[2];

  const decipher = crypto.createDecipheriv(algorithm, key, iv);
  decipher.setAuthTag(authTag);

  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
  decrypted += decipher.final('utf8');

  return decrypted;
};