using System.Security.Cryptography;
using System.Text;

namespace SIGCM2.Domain.Security;

/// <summary>
/// Pure static helper for hashing opaque refresh tokens.
/// SHA-256 is appropriate here — tokens are 256-bit random values (not passwords),
/// so salting is unnecessary. Output is base64url without padding.
/// </summary>
public static class TokenHasher
{
    public static string Sha256Base64Url(string raw)
    {
        var bytes = Encoding.UTF8.GetBytes(raw);
        var hash = SHA256.HashData(bytes);
        return Base64UrlEncode(hash);
    }

    private static string Base64UrlEncode(byte[] bytes)
        => Convert.ToBase64String(bytes)
                  .TrimEnd('=')
                  .Replace('+', '-')
                  .Replace('/', '_');
}