#!/usr/bin/env bash
# Generate JWT token for Permissioned RPC access
# Usage: ./generate-jwt-token.sh [username] [expiry_days]

set -euo pipefail

PROXMOX_HOST="${PROXMOX_HOST:-192.168.11.10}"
VMID=2501
USERNAME="${1:-rpc-user}"
EXPIRY_DAYS="${2:-365}"

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

info() { echo -e "${GREEN}[INFO]${NC} $1"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
error() { echo -e "${RED}[ERROR]${NC} $1"; }

# Check if jq is installed
if ! command -v jq &> /dev/null; then
    error "jq is required but not installed. Install with: sudo apt install jq"
    exit 1
fi

# Get JWT secret from container
info "Retrieving JWT secret from VMID $VMID..."
JWT_SECRET=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@${PROXMOX_HOST} \
    "pct exec $VMID -- cat /etc/nginx/jwt_secret 2>/dev/null" || echo "")

if [ -z "$JWT_SECRET" ]; then
    error "Failed to retrieve JWT secret. Make sure JWT authentication is configured."
    exit 1
fi

# Calculate expiry time
EXPIRY=$(date -d "+${EXPIRY_DAYS} days" +%s)
NOW=$(date +%s)

# Create JWT payload
PAYLOAD=$(jq -n \
    --arg sub "$USERNAME" \
    --arg iat "$NOW" \
    --arg exp "$EXPIRY" \
    '{sub: $sub, iat: ($iat | tonumber), exp: ($exp | tonumber)}')

# Check if node is available for JWT generation
if command -v node &> /dev/null; then
    info "Generating JWT token using Node.js..."
    
    # Create temporary script
    TEMP_SCRIPT=$(mktemp)
    cat > "$TEMP_SCRIPT" <<NODE_SCRIPT
const crypto = require('crypto');
const base64url = require('base64url');

const header = {
    alg: 'HS256',
    typ: 'JWT'
};

const payload = ${PAYLOAD};

const secret = '${JWT_SECRET}';

function base64UrlEncode(str) {
    return Buffer.from(str)
        .toString('base64')
        .replace(/\+/g, '-')
        .replace(/\//g, '_')
        .replace(/=/g, '');
}

function sign(data, secret) {
    return crypto
        .createHmac('sha256', secret)
        .update(data)
        .digest('base64')
        .replace(/\+/g, '-')
        .replace(/\//g, '_')
        .replace(/=/g, '');
}

const encodedHeader = base64UrlEncode(JSON.stringify(header));
const encodedPayload = base64UrlEncode(JSON.stringify(payload));
const signature = sign(\`\${encodedHeader}.\${encodedPayload}\`, secret);

const token = \`\${encodedHeader}.\${encodedPayload}.\${signature}\`;
console.log(token);
NODE_SCRIPT

    TOKEN=$(node "$TEMP_SCRIPT" 2>/dev/null)
    rm -f "$TEMP_SCRIPT"
    
    if [ -n "$TOKEN" ]; then
        echo ""
        info "JWT Token generated successfully!"
        echo ""
        echo "Token: $TOKEN"
        echo ""
        echo "Usage:"
        echo "  curl -k -H 'Authorization: Bearer $TOKEN' \\"
        echo "    -H 'Content-Type: application/json' \\"
        echo "    -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_chainId\",\"params\":[],\"id\":1}' \\"
        echo "    https://rpc-http-prv.d-bis.org"
        echo ""
        exit 0
    fi
fi

# Fallback: Use Python if available
if command -v python3 &> /dev/null; then
    info "Generating JWT token using Python..."
    
    TOKEN=$(python3 <<PYTHON_SCRIPT
import hmac
import hashlib
import base64
import json
import time

def base64url_encode(data):
    return base64.urlsafe_b64encode(data).decode('utf-8').rstrip('=')

def create_jwt(payload, secret):
    header = {"alg": "HS256", "typ": "JWT"}
    
    encoded_header = base64url_encode(json.dumps(header, separators=(',', ':')).encode('utf-8'))
    encoded_payload = base64url_encode(json.dumps(payload, separators=(',', ':')).encode('utf-8'))
    
    message = f"{encoded_header}.{encoded_payload}"
    signature = hmac.new(
        secret.encode('utf-8'),
        message.encode('utf-8'),
        hashlib.sha256
    ).digest()
    encoded_signature = base64url_encode(signature)
    
    return f"{encoded_header}.{encoded_payload}.{encoded_signature}"

payload = ${PAYLOAD}
secret = '${JWT_SECRET}'
token = create_jwt(payload, secret)
print(token)
PYTHON_SCRIPT
)
    
    if [ -n "$TOKEN" ]; then
        echo ""
        info "JWT Token generated successfully!"
        echo ""
        echo "Token: $TOKEN"
        echo ""
        echo "Usage:"
        echo "  curl -k -H 'Authorization: Bearer $TOKEN' \\"
        echo "    -H 'Content-Type: application/json' \\"
        echo "    -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_chainId\",\"params\":[],\"id\":1}' \\"
        echo "    https://rpc-http-prv.d-bis.org"
        echo ""
        exit 0
    fi
fi

# If neither Node.js nor Python is available, provide instructions
error "Neither Node.js nor Python3 is available for JWT generation."
echo ""
warn "Please install one of the following:"
echo "  sudo apt install nodejs npm  # For Node.js"
echo "  sudo apt install python3     # For Python (usually pre-installed)"
echo ""
warn "Or use an online JWT generator with:"
echo "  Header: {\"alg\":\"HS256\",\"typ\":\"JWT\"}"
echo "  Payload: ${PAYLOAD}"
echo "  Secret: ${JWT_SECRET}"
exit 1