from flask import request
from jwt import decode, ExpiredSignatureError, InvalidTokenError
from util.logger import logger

SECRET_KEY = "bitte_hier_dein_geheimes_passwort_setzen"  # später .env verwenden

def verify_token():
    auth_header = request.headers.get("Authorization", "")
    if not auth_header.startswith("Bearer "):
        logger.warning("🔐 Invalid Bearer header")
        return None

    token = auth_header.replace("Bearer ", "")
    try:
        decoded = decode(token, SECRET_KEY, algorithms=["HS256"])
        return decoded
    except ExpiredSignatureError:
        logger.warning("🔐 Token expired")
        return None
    except InvalidTokenError:
        logger.warning("🔐 Invalid token")
        return None