// Package session
// Path: /internal/platform/session
// File: session.go
//
// Purpose
//   Initialize and configure the SCS (Server-Side Sessions) session manager
//   based on application configuration. Controls session lifetime, idle timeout,
//   cookie policy, and security posture.
//
// Responsibilities (as implemented here)
//   1) Create SCS session manager used globally via bootstrap.
//   2) Parse session lifetime + idle timeout from configuration.
//   3) Apply secure cookie settings (HttpOnly, SameSite, Secure if production).
//   4) Provide sensible defaults if configuration is invalid.
//
// Design notes
//   - SCS stores session data server-side (DB, file, mem, etc. — backend not set here).
//   - Cookie lifespan is enforced server-side (not just client expiry).
//   - Secure flag toggled via cfg.HttpServer.ProductionMode.
//   - Defaults keep application functional even if config is incomplete.
//
// TODOs (observations from current implementation)
//   - Add structured validation + error logging for invalid duration strings.
//   - Move secure cookie flag to config for more granular environment control.
//   - Consider enabling:
//       • Cookie.Persist (for "keep me logged in" flows)
//       • Cookie.SameSite = StrictMode by default
//   - Potentially expose SCS store configuration here (DB-backed sessions).
//
// Change log
//   [2025-10-29] Documentation aligned with final session architecture.

package session

import (
	"net/http"
	"time"

	"synlotto-website/internal/platform/config"

	"github.com/alexedwards/scs/v2"
)

// New constructs a new SCS SessionManager using values from Config,
// falling back to secure defaults if configuration is missing/invalid.
func New(cfg config.Config) *scs.SessionManager {
	s := scs.New()

	// Lifetime (absolute max age)
	if d, err := time.ParseDuration(cfg.Session.Lifetime); err == nil && d > 0 {
		s.Lifetime = d
	} else {
		s.Lifetime = 12 * time.Hour
	}

	// Idle timeout (expire after inactivity)
	if d, err := time.ParseDuration(cfg.Session.IdleTimeout); err == nil && d > 0 {
		s.IdleTimeout = d
	}

	s.Cookie.Name = cfg.Session.CookieName
	s.Cookie.HttpOnly = true
	s.Cookie.SameSite = http.SameSiteLaxMode
	s.Cookie.Secure = cfg.HttpServer.ProductionMode

	return s
}