package jwt

import (
	"time"
)

// jwtSecretManagerImpl implements the JWTSecretManager interface
type jwtSecretManagerImpl struct {
	secrets       []JWTSecret
	primarySecret string
}

// NewJWTSecretManager creates a new JWT secret manager
func NewJWTSecretManager(initialSecret string) JWTSecretManager {
	return &jwtSecretManagerImpl{
		secrets: []JWTSecret{
			{
				Secret:    initialSecret,
				IsPrimary: true,
				CreatedAt: time.Now(),
			},
		},
		primarySecret: initialSecret,
	}
}

// AddSecret adds a new JWT secret
func (m *jwtSecretManagerImpl) AddSecret(secret string, isPrimary bool, expiresIn time.Duration) {
	expiresAt := time.Now().Add(expiresIn)
	m.secrets = append(m.secrets, JWTSecret{
		Secret:    secret,
		IsPrimary: isPrimary,
		CreatedAt: time.Now(),
		ExpiresAt: &expiresAt,
	})

	if isPrimary {
		m.primarySecret = secret
	}
}

// RotateToSecret rotates to a new primary secret
func (m *jwtSecretManagerImpl) RotateToSecret(newSecret string) {
	// Mark existing primary as non-primary
	for i, secret := range m.secrets {
		if secret.IsPrimary {
			m.secrets[i].IsPrimary = false
			break
		}
	}

	// Add new secret as primary
	m.AddSecret(newSecret, true, 0) // No expiration for primary
}

// GetPrimarySecret returns the current primary secret
func (m *jwtSecretManagerImpl) GetPrimarySecret() string {
	return m.primarySecret
}

// GetAllValidSecrets returns all valid (non-expired) secrets
func (m *jwtSecretManagerImpl) GetAllValidSecrets() []JWTSecret {
	var validSecrets []JWTSecret
	now := time.Now()

	for _, secret := range m.secrets {
		if secret.ExpiresAt == nil || secret.ExpiresAt.After(now) {
			validSecrets = append(validSecrets, secret)
		}
	}

	return validSecrets
}

// GetSecretByIndex returns a secret by index for testing
func (m *jwtSecretManagerImpl) GetSecretByIndex(index int) (string, bool) {
	if index < 0 || index >= len(m.secrets) {
		return "", false
	}
	return m.secrets[index].Secret, true
}