// Throwaway verification endpoint mirroring the operator one. Decodes the
// portal access token from the nuxt-oidc-auth session and echoes the claims
// that matter (iss/aud/sub/groups/exp). Useful for confirming that signing
// in here yields aud=dezky-portal, distinct from the operator's dezky-operator.

import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'

function decodeJwtClaims(token: string): Record<string, unknown> {
  const parts = token.split('.')
  if (parts.length < 2) throw new Error('Not a JWT')
  const payload = parts[1]!.replace(/-/g, '+').replace(/_/g, '/')
  const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4)
  return JSON.parse(Buffer.from(padded, 'base64').toString('utf8'))
}

export default defineEventHandler(async (event) => {
  const session = await getUserSession(event).catch(() => null)
  const accessToken = (session as { accessToken?: string } | null)?.accessToken
  if (!accessToken) throw createError({ statusCode: 401, statusMessage: 'No session' })

  const claims = decodeJwtClaims(accessToken)
  return {
    iss: claims.iss,
    aud: claims.aud,
    sub: claims.sub,
    email: claims.email,
    groups: claims.groups,
    exp: claims.exp,
    iat: claims.iat,
  }
})