// Throwaway verification endpoint for O.9: decodes the access token currently
// stored in the operator's nuxt-oidc-auth session and returns the claims we
// care about (iss, aud, sub, exp, groups). NEVER returns the raw token. Safe
// to leave deployed since it requires a valid operator session and only
// echoes claims the user can already see in their JWT.

import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'

function decodeJwtClaims(token: string): Record<string, unknown> {
  const parts = token.split('.')
  if (parts.length < 2) throw new Error('Not a JWT')
  const payload = parts[1]!.replace(/-/g, '+').replace(/_/g, '/')
  const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4)
  return JSON.parse(Buffer.from(padded, 'base64').toString('utf8'))
}

export default defineEventHandler(async (event) => {
  const session = await getUserSession(event).catch(() => null)
  const accessToken = (session as { accessToken?: string } | null)?.accessToken
  if (!accessToken) throw createError({ statusCode: 401, statusMessage: 'No session' })

  const claims = decodeJwtClaims(accessToken)
  return {
    iss: claims.iss,
    aud: claims.aud,
    sub: claims.sub,
    email: claims.email,
    groups: claims.groups,
    exp: claims.exp,
    iat: claims.iat,
  }
})