using Microsoft.Extensions.Logging;
using Microsoft.IdentityModel.Tokens;
using System.Linq;

namespace StellaOps.Auth.Security.Dpop;

public sealed partial class DpopProofValidator
{
    private DpopValidationResult? ValidateSignature(string proof, DpopProofHeader header)
    {
        try
        {
            var parameters = new TokenValidationParameters
            {
                ValidateAudience = false,
                ValidateIssuer = false,
                ValidateLifetime = false,
                ValidateTokenReplay = false,
                RequireSignedTokens = true,
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = header.Key,
                ValidAlgorithms = _options.NormalizedAlgorithms.ToArray()
            };

            _tokenHandler.ValidateToken(proof, parameters, out _);
            return null;
        }
        catch (Exception ex)
        {
            _logger?.LogWarning(ex, "DPoP proof signature validation failed.");
            return DpopValidationResult.Failure("invalid_signature", "DPoP proof signature validation failed.");
        }
    }
}