"""Signed bearer tokens when session cookies are not stored (e.g. some HF Space proxies)."""

from itsdangerous import BadSignature, SignatureExpired, URLSafeTimedSerializer

from web.backend.config import get_session_secret

_MAX_AGE = 14 * 24 * 3600


def create_auth_token() -> str:
    s = URLSafeTimedSerializer(get_session_secret())
    return s.dumps({"web_auth": True, "v": 1})


def verify_auth_token(token: str) -> bool:
    try:
        s = URLSafeTimedSerializer(get_session_secret())
        data = s.loads(token, max_age=_MAX_AGE)
        return (
            isinstance(data, dict)
            and data.get("v") == 1
            and data.get("web_auth") is True
        )
    except (BadSignature, SignatureExpired):
        return False