const crypto = require('crypto');

// Generate a random token
const generateToken = () => {
    return crypto.randomBytes(24).toString('hex');
};

// Middleware to protect against CSRF
const csrfProtection = (req, res, next) => {
    // Skip for GET, HEAD, OPTIONS (safe methods)
    if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {
        return next();
    }

    // Skip for Login endpoint (initial session creation)
    if (req.path === '/api/login' || req.path === '/api/auth/login') {
        return next();
    }

    // Get token from header
    const tokenFromHeader = req.headers['x-csrf-token'];

    // Get token from session
    const tokenFromSession = req.session.csrfToken;

    if (!tokenFromSession || !tokenFromHeader || tokenFromSession !== tokenFromHeader) {
        console.error('CSRF mismatch:', { session: tokenFromSession, header: tokenFromHeader });
        return res.status(403).json({ success: false, message: 'Invalid CSRF Token' });
    }

    next();
};

module.exports = { generateToken, csrfProtection };