const { generateKeyPairSync, sign } = require('crypto');
const fs = require('fs');

// 1. Gera o par de chaves Ed25519
const { publicKey, privateKey } = generateKeyPairSync('ed25519');

// 2. Extrai chave pública crua (32 bytes)
const publicRaw = publicKey.export({ format: 'der', type: 'spki' }).slice(-32);
const publicKeyBase64Url = publicRaw.toString('base64url');

// 3. Extrai a chave privada crua (seed) de 32 bytes
const privateDer = privateKey.export({ format: 'der', type: 'pkcs8' });
const seed = privateDer.slice(-64, -32); // 32 bytes (seed)

// 4. Concatena seed + public = 64 bytes
const private64 = Buffer.concat([seed, publicRaw]);
const privateKeyBase64Url = private64.toString('base64url');

// 5. Salva chaves
fs.writeFileSync('jwt_public.key', publicKeyBase64Url);
fs.writeFileSync('jwt_private.key', privateKeyBase64Url);

console.log('✅ Chaves salvas:');
console.log('- Pública  (jwt_public.key):', publicKeyBase64Url);
console.log('- Privada  (jwt_private.key):', privateKeyBase64Url);
console.log('- Comprimento da privada (bytes):', private64.length); // Should be 64

// 6. Cria JWT sem expiração
const header = {
  alg: 'EdDSA',
  typ: 'JWT',
};

const payload = {
  sub: 'usuario1',
  iss: 'meu-app',
};

const base64url = (obj) => Buffer.from(JSON.stringify(obj)).toString('base64url');
const encodedHeader = base64url(header);
const encodedPayload = base64url(payload);
const toSign = `${encodedHeader}.${encodedPayload}`;

// 7. Assina usando a chave original
const signature = sign(null, Buffer.from(toSign), privateKey).toString('base64url');

// 8. Gera JWT completo
const jwt = `${toSign}.${signature}`;
console.log('\n✅ JWT gerado:\n');
console.log(jwt);