/**
 * Auth wrapper — local JWT verification for rSpace server.
 *
 * When JWT_SECRET is available, verifies tokens locally via HMAC-SHA256 (<1ms).
 * Otherwise falls back to internal HTTP call to EncryptID service.
 * Re-exports extractToken and types for convenience.
 */

import { verifyEncryptIDToken, extractToken } from "@encryptid/sdk/server";
import type { EncryptIDClaims, VerifyOptions } from "@encryptid/sdk/server";

export { extractToken };
export type { EncryptIDClaims };

const JWT_SECRET = process.env.JWT_SECRET;
const ENCRYPTID_INTERNAL = process.env.ENCRYPTID_INTERNAL_URL || "http://encryptid:3000";

const verifyOpts: VerifyOptions = JWT_SECRET
	? { secret: JWT_SECRET }
	: { serverUrl: ENCRYPTID_INTERNAL };

export function verifyToken(token: string): Promise<EncryptIDClaims> {
	return verifyEncryptIDToken(token, verifyOpts);
}