'use strict'
const JWT = require('jsonwebtoken')

module.exports = options => {
    return {
        key: options.jwtKey,
        verifyOptions: {
            algorithms: ['HS256'],
        },
        // NOTE: TASK 3 Not yet done, but this passes a hashedSessionToken
        // through headers in failed attempt to never have raw JWT's in front end

        // Always check rawAccessToken, if it fails, we check the session, if session
        // is valid, then we reissue it
        // if session is NOT valid, DELETE the session (and kick user back to login)
        // TODO: set up cron job to occassionaly clean up activeSessions
        validate: (decoded, request, h) => {
            // NOTE: this won't work as it immediately invalidates anything that isn't a raw jwt
            const hashedSessionToken = request.headers.authorization
            const sessionToken =
                request.server.app.activeSessions[hashedSessionToken]
                    .sessionToken
            console.log('sessionToken :=>', sessionToken)
            try {
                const validatedJwt = JWT.verify(
                    sessionToken,
                    process.env.APP_SECRET,
                )
                return {
                    isValid: true,
                    credentials: validatedJwt.email,
                }
            } catch (err) {
                console.error('ERROR :=>', err)
                return { isValid: false, error: err.message }
            }
        },
    }
}