using System.Security.Cryptography;
using System.Text;

namespace PatchProbe.Cli.Auth;

internal sealed class EcdsaRequestAuthenticator(IDeviceCredentialStore store) : IRequestAuthenticator
{
    public Task AuthenticateAsync(HttpRequestMessage request, string requestBody, CancellationToken ct = default)
    {
        if (!store.IsEnrolled)
            return Task.CompletedTask;

        var creds = store.Load();

        using var ecdsa = ECDsa.Create();
        ecdsa.ImportPkcs8PrivateKey(Convert.FromBase64String(creds.PrivateKeyPkcs8), out _);

        var timestamp = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds().ToString();
        var bodyHash = Convert.ToBase64String(SHA256.HashData(Encoding.UTF8.GetBytes(requestBody)));

        // Signed message: deviceId LF timestamp LF sha256(body)
        var message = Encoding.UTF8.GetBytes($"{creds.DeviceId}\n{timestamp}\n{bodyHash}");
        var signature = Convert.ToBase64String(ecdsa.SignData(message, HashAlgorithmName.SHA256));

        request.Headers.Add("X-Device-Id", creds.DeviceId);
        request.Headers.Add("X-Timestamp", timestamp);
        request.Headers.Add("X-Signature", signature);

        return Task.CompletedTask;
    }
}