"""JWT encode/decode. TTL ve secret config'ten. jti ile revocation desteği."""
from datetime import UTC, datetime, timedelta

import jwt

from app.config import settings
from app.utils.exceptions import UnauthorizedError
from app.utils.security import generate_token


def create_access_token(tenant_id: str, email: str, plan: str) -> tuple[str, str, datetime]:
    """Return (token, jti, expires_at)."""
    now = datetime.now(UTC)
    expires_at = now + timedelta(days=settings.jwt_ttl_days)
    jti = generate_token(16)
    payload = {
        "sub": tenant_id,
        "email": email,
        "plan": plan,
        "jti": jti,
        "iat": int(now.timestamp()),
        "exp": int(expires_at.timestamp()),
    }
    token = jwt.encode(payload, settings.jwt_secret, algorithm=settings.jwt_algorithm)
    return token, jti, expires_at


def decode_access_token(token: str) -> dict:
    try:
        return jwt.decode(
            token, settings.jwt_secret, algorithms=[settings.jwt_algorithm]
        )
    except jwt.ExpiredSignatureError as e:
        raise UnauthorizedError("Oturum süresi doldu.") from e
    except jwt.InvalidTokenError as e:
        raise UnauthorizedError("Geçersiz token.") from e