using System.Security.Cryptography;
using System.Text;

namespace SoroushAsadi.Services;

/// <summary>Single-password authentication for the admin panel.</summary>
public class AuthService(IConfiguration config, IWebHostEnvironment env)
{
    private string? GetPassword()
    {
        var pw = config["ADMIN_PASSWORD"] ?? Environment.GetEnvironmentVariable("ADMIN_PASSWORD");
        if (!string.IsNullOrEmpty(pw)) return pw;
        // Allow "admin" in Development only
        return env.IsDevelopment() ? "admin" : null;
    }

    /// <summary>True when the submitted password matches the configured one (constant-time).</summary>
    public bool VerifyPassword(string input)
    {
        var expected = GetPassword();
        if (expected is null) return false;

        var a = SHA256Hash(input);
        var b = SHA256Hash(expected);
        return CryptographicOperations.FixedTimeEquals(
            Encoding.UTF8.GetBytes(a),
            Encoding.UTF8.GetBytes(b));
    }

    public bool IsConfigured() => GetPassword() is not null;

    private static string SHA256Hash(string input)
    {
        var bytes = SHA256.HashData(Encoding.UTF8.GetBytes(input));
        return Convert.ToHexString(bytes).ToLowerInvariant();
    }
}