import crypto from "crypto";
import {secrets} from "./secrets"
const ALGORITHM = "aes-256-gcm";

function getEncryptionKey() {
    const key = secrets.ENCRYPTION_KEY || ""

    if (!/^[a-f0-9]{64}$/i.test(key)) {
        throw new Error("ENCRYPTION_KEY muss ein 64 Zeichen langer Hex-String sein. Beispiel: openssl rand -hex 32")
    }

    return Buffer.from(key, "hex")
}

export function encrypt(text) {
    const ENCRYPTION_KEY = getEncryptionKey();
    const iv = crypto.randomBytes(16);
    const cipher = crypto.createCipheriv(ALGORITHM, ENCRYPTION_KEY, iv);

    const encrypted = Buffer.concat([cipher.update(text, "utf8"), cipher.final()]);
    const tag = cipher.getAuthTag();

    return {
        iv: iv.toString("hex"),
        content: encrypted.toString("hex"),
        tag: tag.toString("hex"),
    };
}

export function decrypt({ iv, content, tag }) {
    const ENCRYPTION_KEY = getEncryptionKey();
    const decipher = crypto.createDecipheriv(
        ALGORITHM,
        ENCRYPTION_KEY,
        Buffer.from(iv, "hex")
    );
    decipher.setAuthTag(Buffer.from(tag, "hex"));

    const decrypted = Buffer.concat([
        decipher.update(Buffer.from(content, "hex")),
        decipher.final(),
    ]);

    return decrypted.toString("utf8");
}