const fs = require('fs');
const path = require('path');
const jwt = require('jsonwebtoken');

const JWT_SECRET = process.env.JWT_SECRET || 'dev-secret-ne-koristiti-u-produkciji';

function privateKeyPath() {
  return path.join(__dirname, '..', 'private.pem');
}

function publicKeyPath() {
  return path.join(__dirname, '..', 'public.pem');
}

function signToken(user) {
  const payload = {
    sub: user.id,
    username: user.username,
    role: user.role
  };

  // TODO Z1.4:
  // Zamijeni simetrično HS256 potpisivanje asimetričnim RS256 potpisivanjem.
  // 1. Generiraj api/private.pem i api/public.pem.
  // 2. Umjesto JWT_SECRET koristi fs.readFileSync(privateKeyPath()).
  // 3. Promijeni algorithm iz HS256 u RS256.
  return jwt.sign(payload, JWT_SECRET, {
    algorithm: 'HS256',
    expiresIn: '15m'
  });
}

function getPublicKeyPath() {
  return publicKeyPath();
}

module.exports = { signToken, getPublicKeyPath, privateKeyPath, publicKeyPath };