/**
 * Utility functions for AES encryption and HMAC integrity using crypto-js.
 * Note: The secret key should be managed securely and not hardcoded in production.
 */
import CryptoJS from 'crypto-js';

/**
 * Encrypts and signs data using AES and HMAC.
 * @template T
 * @param {T} data - The data to encrypt.
 * @param {string} secret - The secret key.
 * @returns {string} The encrypted and signed payload (JSON string).
 */
export function encryptAndSign<T>(data: T, secret: string): string {
  const plaintext = JSON.stringify(data);
  // Encrypt with AES
  const ciphertext = CryptoJS.AES.encrypt(plaintext, secret).toString();
  // HMAC for integrity
  const hmac = CryptoJS.HmacSHA256(ciphertext, secret).toString(CryptoJS.enc.Base64);
  return JSON.stringify({ ciphertext, hmac });
}

/**
 * Verifies and decrypts data using AES and HMAC.
 * @param {string} payload - The encrypted payload (JSON string).
 * @param {string} secret - The secret key.
 * @returns {object|null} The decrypted object or null if verification fails.
 */
export function verifyAndDecrypt(payload: string, secret: string): object | null {
  try {
    const { ciphertext, hmac } = JSON.parse(payload);
    // Verify HMAC
    const expectedHmac = CryptoJS.HmacSHA256(ciphertext, secret).toString(CryptoJS.enc.Base64);
    if (hmac !== expectedHmac) return null;
    // Decrypt
    const bytes = CryptoJS.AES.decrypt(ciphertext, secret);
    const decrypted = bytes.toString(CryptoJS.enc.Utf8);
    return JSON.parse(decrypted);
  } catch {
    return null;
  }
}