import Foundation

/// JWT-Parsing-Helfer. **Verifiziert keine Signatur** — der Server bleibt
/// die Wahrheitsinstanz. Hier nur lokale Expiry-Prüfung für proaktiven
/// Refresh.
public enum JWT {
    /// Liest `exp`-Claim aus einem JWT, falls vorhanden.
    public static func expiry(of token: String) -> Date? {
        let parts = token.split(separator: ".")
        guard parts.count == 3 else { return nil }
        guard let payloadData = base64URLDecode(String(parts[1])) else { return nil }
        guard let dict = try? JSONSerialization.jsonObject(with: payloadData) as? [String: Any] else { return nil }
        guard let exp = dict["exp"] as? TimeInterval else { return nil }
        return Date(timeIntervalSince1970: exp)
    }

    private static func base64URLDecode(_ value: String) -> Data? {
        var base64 = value
            .replacingOccurrences(of: "-", with: "+")
            .replacingOccurrences(of: "_", with: "/")
        let paddingNeeded = (4 - base64.count % 4) % 4
        base64.append(String(repeating: "=", count: paddingNeeded))
        return Data(base64Encoded: base64)
    }
}