import base64
import os
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC

from app.config import settings


def _get_encryption_key() -> bytes:
    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=32,
        salt=settings.encryption_salt.encode(),
        iterations=480000,
    )
    return base64.urlsafe_b64encode(kdf.derive(settings.secret_key.encode()))


def encrypt_api_key(plaintext: str) -> str:
    if not plaintext:
        return ""
    fernet = Fernet(_get_encryption_key())
    encrypted = fernet.encrypt(plaintext.encode())
    return base64.urlsafe_b64encode(encrypted).decode()


def decrypt_api_key(ciphertext: str) -> str:
    if not ciphertext:
        return ""
    fernet = Fernet(_get_encryption_key())
    encrypted = base64.urlsafe_b64decode(ciphertext.encode())
    return fernet.decrypt(encrypted).decode()