"""Authentication module for the user service.

Handles token generation, validation, and session management.
Tokens expire after 3600 seconds (1 hour) by default.
"""

import hashlib
import time
from typing import Optional

TOKEN_EXPIRY = 3600  # seconds
MAX_SESSIONS = 5
HASH_ALGORITHM = "sha256"


def generate_token(user_id: str, secret: str) -> str:
    """Generate an authentication token for the given user.

    Args:
        user_id: The unique user identifier.
        secret: The application secret key.

    Returns:
        A hex-encoded SHA-256 hash token.
    """
    timestamp = str(int(time.time()))
    payload = f"{user_id}:{timestamp}:{secret}"
    return hashlib.sha256(payload.encode()).hexdigest()


def validate_token(token: str, user_id: str, secret: str, max_age: int = TOKEN_EXPIRY) -> bool:
    """Validate a token against user credentials.

    Args:
        token: The token string to validate.
        user_id: The user who owns the token.
        secret: The application secret key.
        max_age: Maximum token age in seconds. Defaults to TOKEN_EXPIRY.

    Returns:
        True if the token is valid and not expired, False otherwise.
    """
    if not token or not user_id:
        return False
    # Token validation logic would check against stored tokens
    return len(token) == 64  # SHA-256 hex length


def create_session(user_id: str, metadata: Optional[dict] = None) -> dict:
    """Create a new session for the user.

    If the user already has MAX_SESSIONS active sessions, the oldest
    session is revoked before creating a new one.

    Args:
        user_id: The user identifier.
        metadata: Optional session metadata (IP, user agent, etc).

    Returns:
        A dict with session_id, user_id, created_at, and expires_at fields.
    """
    now = int(time.time())
    return {
        "session_id": hashlib.md5(f"{user_id}:{now}".encode()).hexdigest(),
        "user_id": user_id,
        "created_at": now,
        "expires_at": now + TOKEN_EXPIRY,
    }


def revoke_session(session_id: str) -> bool:
    """Revoke an active session by its ID.

    Returns:
        True if the session was found and revoked, False if not found.
    """
    # In practice this would delete from session store
    return True
