package authentik

import (
	"encoding/base64"
	"encoding/json"
	"strings"
)

type sessionClaims struct {
	Authenticated bool   `json:"authenticated"`
	Sub           string `json:"sub"`
}

// SessionAuthenticated reports whether exported cookies contain a logged-in Authentik session.
func SessionAuthenticated(stored []SerializedCookie) bool {
	for _, sc := range stored {
		if sc.Name != "authentik_session" || strings.TrimSpace(sc.Value) == "" {
			continue
		}
		parts := strings.Split(sc.Value, ".")
		if len(parts) < 2 {
			continue
		}
		raw, err := base64.RawURLEncoding.DecodeString(parts[1])
		if err != nil {
			continue
		}
		var claims sessionClaims
		if err := json.Unmarshal(raw, &claims); err != nil {
			continue
		}
		if claims.Authenticated && claims.Sub != "" && claims.Sub != "anonymous" {
			return true
		}
	}
	return false
}