"""
utils/security.py — password hashing, session management, CSRF tokens
"""
import hashlib
import hmac
import secrets
from datetime import datetime, timedelta, timezone

import bcrypt
from itsdangerous import URLSafeTimedSerializer

from config import SECRET_KEY, SESSION_EXPIRE_SECONDS


# ── Password hashing ───────────────────────────────────────────────

def hash_password(plain: str) -> str:
    return bcrypt.hashpw(plain.encode(), bcrypt.gensalt(rounds=12)).decode()


def verify_password(plain: str, hashed: str) -> bool:
    return bcrypt.checkpw(plain.encode(), hashed.encode())


# ── Session tokens ─────────────────────────────────────────────────

def generate_session_id() -> str:
    return secrets.token_hex(32)


def session_expiry() -> datetime:
    return datetime.now(timezone.utc).replace(tzinfo=None) + timedelta(seconds=SESSION_EXPIRE_SECONDS)


# ── CSRF protection ────────────────────────────────────────────────

_csrf_serializer = URLSafeTimedSerializer(SECRET_KEY, salt="csrf")


def generate_csrf_token(session_id: str) -> str:
    return _csrf_serializer.dumps(session_id)


def verify_csrf_token(token: str, session_id: str, max_age: int = 3600) -> bool:
    try:
        value = _csrf_serializer.loads(token, max_age=max_age)
        return hmac.compare_digest(value, session_id)
    except Exception:
        return False