import os
import time
import jwt  # PyJWT
from typing import Tuple


def _split_key(raw_key: str) -> Tuple[str, bytes]:
    """
    raw_key is the 'id:secret' from Ghost.
    Returns (id, secret_bytes)
    """
    key_id, key_secret_hex = raw_key.split(':', 1)
    secret_bytes = bytes.fromhex(key_secret_hex)
    return key_id, secret_bytes


def make_ghost_admin_jwt() -> str:
    """
    Generate a short-lived JWT suitable for Authorization: Ghost <token>
    """
    raw_key = os.environ["GHOST_ADMIN_API_KEY"]
    key_id, secret_bytes = _split_key(raw_key)

    now = int(time.time())

    payload = {
        "iat": now,
        "exp": now + 5 * 60,   # now + 5 minutes
        "aud": "/admin/",
    }

    headers = {
        "alg": "HS256",
        "kid": key_id,
        "typ": "JWT",
    }

    token = jwt.encode(
        payload,
        secret_bytes,
        algorithm="HS256",
        headers=headers,
    )

    # PyJWT returns str in recent versions; Ghost expects bare token string
    return token