const crypto = require('crypto');

const PREFIX = 'enc:v1';

function getSecretKey() {
  const source =
    process.env.PAYMENT_CREDENTIAL_SECRET ||
    process.env.JWT_SECRET ||
    process.env.SNIPPE_API_KEY ||
    'development-only-payment-credential-secret';

  return crypto.createHash('sha256').update(String(source)).digest();
}

function encryptSecret(value) {
  if (!value) return null;
  const text = String(value);
  if (text.startsWith(`${PREFIX}:`)) return text;

  const iv = crypto.randomBytes(12);
  const cipher = crypto.createCipheriv('aes-256-gcm', getSecretKey(), iv);
  const ciphertext = Buffer.concat([cipher.update(text, 'utf8'), cipher.final()]);
  const tag = cipher.getAuthTag();

  return [
    PREFIX,
    iv.toString('base64url'),
    tag.toString('base64url'),
    ciphertext.toString('base64url'),
  ].join(':');
}

function decryptSecret(value) {
  if (!value) return null;
  const text = String(value);
  if (!text.startsWith(`${PREFIX}:`)) return text;

  const parts = text.split(':');
  if (parts.length !== 5) {
    throw new Error('Invalid encrypted secret format');
  }

  const [, , ivValue, tagValue, ciphertextValue] = parts;
  const decipher = crypto.createDecipheriv(
    'aes-256-gcm',
    getSecretKey(),
    Buffer.from(ivValue, 'base64url')
  );
  decipher.setAuthTag(Buffer.from(tagValue, 'base64url'));

  return Buffer.concat([
    decipher.update(Buffer.from(ciphertextValue, 'base64url')),
    decipher.final(),
  ]).toString('utf8');
}

function maskSecret(value) {
  const secret = decryptSecret(value);
  if (!secret) return null;
  if (secret.length <= 8) return '********';
  return `${secret.slice(0, 4)}...${secret.slice(-4)}`;
}

module.exports = {
  decryptSecret,
  encryptSecret,
  maskSecret,
};