'use strict'
const JWT = require('jsonwebtoken')

module.exports = options => {
    return {
        key: options.jwtKey,
        verifyOptions: {
            algorithms: ['HS256'],
        },
        // check the h object to see if the activeSessions is accessible from it
        //
        // check useronlinestatus branch request.server.app
        validate: (decoded, request, h) => {
            // QUESTION: How can we authenticate both Session and Access Tokens here?
            // Always check rawAccessToken, if it fails, we check the session, if session is valid, then we reissue
            // if session is NOT valid, DELETE the session (and kick user back to login)
            // TODO: set up cron job to occassionaly clean up activeSessions
            const token = request.headers.authorization
            try {
                const validatedJwt = JWT.verify(token, process.env.APP_SECRET)
                return {
                    isValid: true,
                    credentials: validatedJwt.email,
                }
            } catch (err) {
                console.error('ERROR :=>', err)
                return { isValid: false, error: err.message }
            }
        },
    }
}