// File Path: monorepo/cloud/maplepress-backend/pkg/security/password/timing.go
package password

import (
	"codeberg.org/mapleopentech/monorepo/cloud/maplepress-backend/pkg/security/securestring"
)

// DummyPasswordHash is a pre-computed valid Argon2id hash used for timing attack mitigation
// This hash is computed with the same parameters as real password hashes
// CWE-208: Observable Timing Discrepancy - Prevents user enumeration via timing attacks
const DummyPasswordHash = "$argon2id$v=19$m=65536,t=3,p=2$c29tZXJhbmRvbXNhbHQxMjM0$kixiIQQ/y8E7dSH0j8p8KPBUlCMUGQOvH2kP7XYPkVs"

// ComparePasswordWithDummy performs password comparison but always uses a dummy hash
// This is used when a user doesn't exist to maintain constant time behavior
// CWE-208: Observable Timing Discrepancy - Mitigates timing-based user enumeration
func (p *passwordProvider) ComparePasswordWithDummy(password *securestring.SecureString) error {
	// Perform the same expensive operation (Argon2 hashing) even for non-existent users
	// This ensures the timing is constant regardless of whether the user exists
	_, _ = p.ComparePasswordAndHash(password, DummyPasswordHash)

	// Always return false (user doesn't exist, so authentication always fails)
	// The important part is that we spent the same amount of time
	return nil
}

// TimingSafeCompare performs a timing-safe password comparison
// It always performs the password hashing operation regardless of whether
// the user exists or the password matches
// CWE-208: Observable Timing Discrepancy - Prevents timing attacks
func TimingSafeCompare(provider PasswordProvider, password *securestring.SecureString, hash string, userExists bool) (bool, error) {
	if !userExists {
		// User doesn't exist - perform dummy hash comparison to maintain constant time
		if pp, ok := provider.(*passwordProvider); ok {
			_ = pp.ComparePasswordWithDummy(password)
		} else {
			// Fallback if type assertion fails
			_, _ = provider.ComparePasswordAndHash(password, DummyPasswordHash)
		}
		return false, nil
	}

	// User exists - perform real comparison
	return provider.ComparePasswordAndHash(password, hash)
}