use chrono::Utc;
use jsonwebtoken::{Algorithm, DecodingKey, Validation, decode};
use systemprompt_models::auth::JwtAudience;
use crate::error::{OauthError, OauthResult};
use crate::models::JwtClaims;
pub fn validate_jwt_token(
token: &str,
jwt_secret: &str,
issuer: &str,
audiences: &[JwtAudience],
) -> OauthResult<JwtClaims> {
let mut validation = Validation::new(Algorithm::HS256);
validation.set_issuer(&[issuer]);
let audience_strs: Vec<&str> = audiences.iter().map(JwtAudience::as_str).collect();
validation.set_audience(&audience_strs);
let token_data = decode::<JwtClaims>(
token,
&DecodingKey::from_secret(jwt_secret.as_bytes()),
&validation,
)
.map_err(|e| OauthError::Token(format!("JWT validation failed: {e}")))?;
let now = Utc::now().timestamp();
if token_data.claims.exp < now {
return Err(OauthError::Token("Token has expired".to_string()));
}
Ok(token_data.claims)
}