import { createCipheriv, createDecipheriv, createHash, randomBytes } from "node:crypto";

// AES-256-GCM với layout chuẩn của hạ tầng: base64(iv[12] | tag[16] | ct).
// Khoá lấy từ AUTH_SECRET (sha256 → 32 bytes).

const PREFIX = "aes:";

function getKey(): Buffer {
  const secret = process.env.AUTH_SECRET || "dev-insecure-secret-change-me";
  return createHash("sha256").update(secret).digest();
}

export function encrypt(plain: string): string {
  if (!plain) return "";
  const iv = randomBytes(12);
  const cipher = createCipheriv("aes-256-gcm", getKey(), iv);
  const ct = Buffer.concat([cipher.update(plain, "utf8"), cipher.final()]);
  const tag = cipher.getAuthTag();
  return PREFIX + Buffer.concat([iv, tag, ct]).toString("base64");
}

export function decrypt(blob: string | null | undefined): string {
  if (!blob) return "";
  if (!blob.startsWith(PREFIX)) return blob; // legacy/plain
  const buf = Buffer.from(blob.slice(PREFIX.length), "base64");
  const iv = buf.subarray(0, 12);
  const tag = buf.subarray(12, 28);
  const ct = buf.subarray(28);
  const dec = createDecipheriv("aes-256-gcm", getKey(), iv);
  dec.setAuthTag(tag);
  return Buffer.concat([dec.update(ct), dec.final()]).toString("utf8");
}

export function maskSecret(s: string | null | undefined, keep = 4): string {
  if (!s) return "";
  if (s.length <= keep * 2) return "•".repeat(s.length);
  return s.slice(0, keep) + "••••••" + s.slice(-keep);
}

export function isEncrypted(s: string | null | undefined): boolean {
  return !!s && s.startsWith(PREFIX);
}
