"""Shared auth token helpers.

We keep password reset/invite token logic in one place so it can be used by:
 - the normal "forgot password" flow
 - company "invite user" flow

Tokens are signed with Flask SECRET_KEY and time-limited.
"""

from __future__ import annotations

from itsdangerous import URLSafeTimedSerializer


def _serializer(secret_key: str) -> URLSafeTimedSerializer:
    return URLSafeTimedSerializer(secret_key, salt="password-reset")


def make_password_reset_token(*, secret_key: str, user_id: int) -> str:
    s = _serializer(secret_key)
    return s.dumps({"user_id": int(user_id)})


def load_password_reset_user_id(*, secret_key: str, token: str, max_age_seconds: int) -> int:
    s = _serializer(secret_key)
    data = s.loads(token, max_age=max_age_seconds)
    return int(data.get("user_id"))