import { type NextResponse } from "next/server";

import { ACCESS_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE } from "@/lib/auth/constants";

const REFRESH_MAX_AGE = 60 * 60 * 24 * 30; // 30 days, matches Identity refresh TTL

/** Write the Identity access + refresh tokens as httpOnly cookies on a response. */
export function setAuthCookies(
  res: NextResponse,
  accessToken: string,
  refreshToken: string,
  accessExpiresIn: number
): NextResponse {
  const secure = process.env.NODE_ENV === "production";
  const base = { httpOnly: true, sameSite: "lax", secure, path: "/" } as const;
  res.cookies.set(ACCESS_TOKEN_COOKIE, accessToken, {
    ...base,
    maxAge: accessExpiresIn,
  });
  res.cookies.set(REFRESH_TOKEN_COOKIE, refreshToken, {
    ...base,
    maxAge: REFRESH_MAX_AGE,
  });
  return res;
}

/** Expire both auth cookies (logout / failed refresh). */
export function clearAuthCookies(res: NextResponse): NextResponse {
  for (const name of [ACCESS_TOKEN_COOKIE, REFRESH_TOKEN_COOKIE]) {
    res.cookies.set(name, "", { httpOnly: true, path: "/", maxAge: 0 });
  }
  return res;
}