# frozen_string_literal: true

module CookieBasedCsrf
  extend ActiveSupport::Concern

  included do
    after_action :delete_session_cookie
    after_action :set_csrf_token

    def delete_session_cookie
      cookies.delete(Rails.application.config.session_options[:key])
    end

    def set_csrf_token
      # If no JWT, reset CSRF tokens
      unless cookies[:jwt]
        cookies.delete(:_csrf_token)
        cookies.delete('x-csrf-token')
        return
      end

      cookies['x-csrf-token'] = {
        value: form_authenticity_token,
        httponly: false,
        secure: !(Rails.env.development? || Rails.env.test?),
      }
    end

    def real_csrf_token(_session)
      cookies.encrypted[:_csrf_token] ||= {
        value: SecureRandom.base64(
          ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH,
        ),
        httponly: true,
        secure: !(Rails.env.development? || Rails.env.test?),
      }

      Base64.strict_decode64(cookies.encrypted[:_csrf_token])
    end
  end
end