import { createHmac } from 'crypto';

type StreamPlaybackPayload = {
  sessionId: string;
  viewerDeviceId: string;
  userId: string;
  exp: number;
};

const secret = process.env.BETTER_AUTH_SECRET;

if (!secret) {
  throw new Error('BETTER_AUTH_SECRET is required for stream playback token signing');
}

const sign = (data: string): string => createHmac('sha256', secret).update(data).digest('base64url');

export const createStreamPlaybackToken = (
  payload: Omit<StreamPlaybackPayload, 'exp'>,
  ttlSeconds = 60 * 15,
): string => {
  const body: StreamPlaybackPayload = {
    ...payload,
    exp: Math.floor(Date.now() / 1000) + ttlSeconds,
  };

  const encodedPayload = Buffer.from(JSON.stringify(body), 'utf8').toString('base64url');
  const signature = sign(encodedPayload);

  return `${encodedPayload}.${signature}`;
};