// pages/api/auth/apple.js
import jwt from 'jsonwebtoken';
import axios from 'axios';
import fs from 'fs';
import path from 'path';

export default async function handler(req, res) {
    if (req.method === 'GET') {
        // Generate the client secret
        const clientSecret = generateClientSecret();
        const redirectUri = `${req.headers.origin}/api/auth/apple/callback`;

        // Redirect to Apple's authorization page
        res.redirect(`https://appleid.apple.com/auth/authorize?response_type=code&client_id=${process.env.APPLE_CLIENT_ID}&redirect_uri=${encodeURIComponent(redirectUri)}&scope=name+email&response_mode=form_post&state=STATE&client_secret=${encodeURIComponent(clientSecret)}`);
    } else {
        res.status(405).json({ error: 'Method not allowed' });
    }
}

function generateClientSecret() {
    const appleKey = fs.readFileSync(path.resolve('./_deploy/appleKey.p8'), 'utf8');
    const teamID = process.env.APPLE_TEAM_ID || "XC57P9SXDK";
    const keyID = process.env.APPLE_KEY_ID || "TB3V355G5Y";
    const appleAppID = process.env.APPLE_APP_ID || "com.mwitnessing.mwitnessing";

    // Token expiration
    const now = Math.floor(Date.now() / 1000);
    const exp = now + 86400 * 180;  // 6 months

    const claims = {
        iss: teamID,
        iat: now,
        exp: exp,
        aud: 'https://appleid.apple.com',
        sub: appleAppID,
    };

    const token = jwt.sign(claims, privateKey, { algorithm: 'ES256', header: { alg: 'ES256', kid: keyId } });
    return token;
}