nakama/backend/utils/tokens.js

const jwt = require('jsonwebtoken');
const config = require('../config');

const ACCESS_COOKIE = config.jwt.accessCookieName;
const REFRESH_COOKIE = config.jwt.refreshCookieName;

const buildPayload = (user) => ({
  userId: user._id.toString(),
  telegramId: user.telegramId,
  role: user.role,
  // Не включаем email или passwordHash в JWT токен для безопасности
});

const signAccessToken = (user) =>
  jwt.sign(buildPayload(user), config.jwt.accessSecret, {
    expiresIn: `${config.jwt.accessExpiresIn}s`
  });

const signRefreshToken = (user) =>
  jwt.sign(buildPayload(user), config.jwt.refreshSecret, {
    expiresIn: `${config.jwt.refreshExpiresIn}s`
  });

const signAuthTokens = (user) => ({
  accessToken: signAccessToken(user),
  refreshToken: signRefreshToken(user)
});

const getCookieBaseOptions = () => ({
  httpOnly: true,
  secure: config.isProduction(), // HTTPS только в production
  sameSite: config.isProduction() ? 'lax' : 'lax',
  path: '/'
});

const setAuthCookies = (res, tokens) => {
  const base = getCookieBaseOptions();

  res.cookie(ACCESS_COOKIE, tokens.accessToken, {
    ...base,
    maxAge: config.jwt.accessExpiresIn * 1000
  });

  res.cookie(REFRESH_COOKIE, tokens.refreshToken, {
    ...base,
    maxAge: config.jwt.refreshExpiresIn * 1000
  });
};

const clearAuthCookies = (res) => {
  const base = getCookieBaseOptions();
  res.clearCookie(ACCESS_COOKIE, base);
  res.clearCookie(REFRESH_COOKIE, base);
};

const verifyAccessToken = (token) => jwt.verify(token, config.jwt.accessSecret);
const verifyRefreshToken = (token) => jwt.verify(token, config.jwt.refreshSecret);

module.exports = {
  ACCESS_COOKIE,
  REFRESH_COOKIE,
  signAuthTokens,
  setAuthCookies,
  clearAuthCookies,
  verifyAccessToken,
  verifyRefreshToken
};