puffin-app/lib/admin/auth.ts

import jwt from 'jsonwebtoken';

const JWT_SECRET = process.env.JWT_SECRET || 'fallback-secret-key';
const TOKEN_EXPIRY = '24h'; // Token expires in 24 hours

export interface AdminUser {
  username: string;
  isAdmin: true;
}

export interface JWTPayload extends AdminUser {
  iat: number;
  exp: number;
}

/**
 * Verify admin credentials against environment variables
 */
export function verifyCredentials(username: string, password: string): boolean {
  const adminUsername = process.env.ADMIN_USERNAME;
  const adminPassword = process.env.ADMIN_PASSWORD;

  if (!adminUsername || !adminPassword) {
    console.error('Admin credentials not configured in environment variables');
    return false;
  }

  return username === adminUsername && password === adminPassword;
}

/**
 * Generate JWT token for authenticated admin
 */
export function generateToken(user: AdminUser): string {
  return jwt.sign(user, JWT_SECRET, {
    expiresIn: TOKEN_EXPIRY,
  });
}

/**
 * Verify and decode JWT token
 * Returns the decoded payload or null if invalid
 */
export function verifyToken(token: string): JWTPayload | null {
  try {
    const decoded = jwt.verify(token, JWT_SECRET) as JWTPayload;
    return decoded;
  } catch (error) {
    console.error('JWT verification failed:', error);
    return null;
  }
}

/**
 * Extract token from Authorization header
 * Supports both "Bearer token" and plain token formats
 */
export function extractToken(authHeader: string | null): string | null {
  if (!authHeader) return null;

  if (authHeader.startsWith('Bearer ')) {
    return authHeader.substring(7);
  }

  return authHeader;
}

/**
 * Check if user is authenticated admin
 */
export function isAuthenticated(token: string | null): boolean {
  if (!token) return false;

  const payload = verifyToken(token);
  return payload !== null && payload.isAdmin === true;
}