import jwt from 'jsonwebtoken';

/**
 * Mints a new JWT for our application's session management.
 * This token is what SurrealDB will validate.
 *
 * @param did - The user's canonical ATproto DID (e.g., "did:plc:...")
 * @param handle - The user's Bluesky handle (e.g., "user.bsky.social")
 * @returns A signed JWT string.
 */
export function mintSurrealJwt(did: string, handle: string): string {
  const secret = process.env.SURREALDB_JWT_SECRET;
  if (!secret) {
    throw new Error('SURREALDB_JWT_SECRET is not set in environment.');
  }

  // This payload is critical. The `did` claim will be used
  // in SurrealDB's PERMISSIONS clauses.
  const payload = {
    // Standard JWT claims
    iss: 'Ponderants',
    aud: 'SurrealDB',

    // Custom claims
    did: did,
    handle: handle,
  };

  // Token expires in 7 days
  const token = jwt.sign(payload, secret, {
    algorithm: 'HS512',
    expiresIn: '7d',
  });

  return token;
}