package core

import (

"errors"

"time"

"github.com/golang-jwt/jwt/v5"

"github.com/pocketbase/pocketbase/tools/security"

)

// Supported record token types

const (

TokenTypeAuth = "auth"

TokenTypeFile = "file"

TokenTypeVerification = "verification"

TokenTypePasswordReset = "passwordReset"

TokenTypeEmailChange = "emailChange"

)

// List with commonly used record token claims

const (

TokenClaimId = "id"

TokenClaimType = "type"

TokenClaimCollectionId = "collectionId"

TokenClaimEmail = "email"

TokenClaimNewEmail = "newEmail"

TokenClaimRefreshable = "refreshable"

)

// Common token related errors

var (

ErrNotAuthRecord = errors.New("not an auth collection record")

ErrMissingSigningKey = errors.New("missing or invalid signing key")

)

// NewStaticAuthToken generates and returns a new static record authentication token.

//

// Static auth tokens are similar to the regular auth tokens, but are

// non-refreshable and support custom duration.

//

// Zero or negative duration will fallback to the duration from the auth collection settings.

func (m *Record) NewStaticAuthToken(duration time.Duration) (string, error) {

return m.newAuthToken(duration, false)

}

// NewAuthToken generates and returns a new record authentication token.

func (m *Record) NewAuthToken() (string, error) {

return m.newAuthToken(0, true)

}

func (m *Record) newAuthToken(duration time.Duration, refreshable bool) (string, error) {

if !m.Collection().IsAuth() {

return "", ErrNotAuthRecord

}

key := (m.TokenKey() + m.Collection().AuthToken.Secret)

if key == "" {

return "", ErrMissingSigningKey

}

claims := jwt.MapClaims{

TokenClaimType: TokenTypeAuth,

TokenClaimId: m.Id,

TokenClaimCollectionId: m.Collection().Id,

TokenClaimRefreshable: refreshable,

}

if duration <= 0 {

duration = m.Collection().AuthToken.DurationTime()

}

return security.NewJWT(claims, key, duration)

}

// NewVerificationToken generates and returns a new record verification token.

func (m *Record) NewVerificationToken() (string, error) {

if !m.Collection().IsAuth() {

return "", ErrNotAuthRecord

}

key := (m.TokenKey() + m.Collection().VerificationToken.Secret)

if key == "" {

return "", ErrMissingSigningKey

}

return security.NewJWT(

jwt.MapClaims{

TokenClaimType: TokenTypeVerification,

TokenClaimId: m.Id,

TokenClaimCollectionId: m.Collection().Id,

TokenClaimEmail: m.Email(),

},

key,

m.Collection().VerificationToken.DurationTime(),

)

}

// NewPasswordResetToken generates and returns a new auth record password reset request token.

func (m *Record) NewPasswordResetToken() (string, error) {

if !m.Collection().IsAuth() {

return "", ErrNotAuthRecord

}

key := (m.TokenKey() + m.Collection().PasswordResetToken.Secret)

if key == "" {

return "", ErrMissingSigningKey

}

return security.NewJWT(

jwt.MapClaims{

TokenClaimType: TokenTypePasswordReset,

TokenClaimId: m.Id,

TokenClaimCollectionId: m.Collection().Id,

TokenClaimEmail: m.Email(),

},

key,

m.Collection().PasswordResetToken.DurationTime(),

)

}

// NewEmailChangeToken generates and returns a new auth record change email request token.

func (m *Record) NewEmailChangeToken(newEmail string) (string, error) {

if !m.Collection().IsAuth() {

return "", ErrNotAuthRecord

}

key := (m.TokenKey() + m.Collection().EmailChangeToken.Secret)

if key == "" {

return "", ErrMissingSigningKey

}

return security.NewJWT(

jwt.MapClaims{

TokenClaimType: TokenTypeEmailChange,

TokenClaimId: m.Id,

TokenClaimCollectionId: m.Collection().Id,

TokenClaimEmail: m.Email(),

TokenClaimNewEmail: newEmail,

},

key,

m.Collection().EmailChangeToken.DurationTime(),

)

}

// NewFileToken generates and returns a new record private file access token.

func (m *Record) NewFileToken() (string, error) {

if !m.Collection().IsAuth() {

return "", ErrNotAuthRecord

}

key := (m.TokenKey() + m.Collection().FileToken.Secret)

if key == "" {

return "", ErrMissingSigningKey

}

return security.NewJWT(

jwt.MapClaims{

TokenClaimType: TokenTypeFile,

TokenClaimId: m.Id,

TokenClaimCollectionId: m.Collection().Id,

},

key,

m.Collection().FileToken.DurationTime(),

)

}