using System.Text.Json;

namespace StellaOps.Auth.Security.Dpop;

public sealed partial class DpopProofValidator
{
    private bool TryReadNonce(
        JsonElement payloadElement,
        string? expectedNonce,
        out string? actualNonce,
        out DpopValidationResult failure)
    {
        actualNonce = null;
        failure = default!;

        if (expectedNonce is not null)
        {
            if (!payloadElement.TryGetProperty("nonce", out var nonceElement) ||
                nonceElement.ValueKind != JsonValueKind.String)
            {
                failure = DpopValidationResult.Failure("invalid_token", "DPoP proof missing nonce claim.");
                return false;
            }

            actualNonce = nonceElement.GetString();
            if (!string.Equals(actualNonce, expectedNonce, StringComparison.Ordinal))
            {
                failure = DpopValidationResult.Failure("invalid_token", "DPoP nonce mismatch.");
                return false;
            }

            return true;
        }

        if (payloadElement.TryGetProperty("nonce", out var optionalNonce) &&
            optionalNonce.ValueKind == JsonValueKind.String)
        {
            actualNonce = optionalNonce.GetString();
        }

        return true;
    }
}