from __future__ import annotations

import base64
import hashlib
import hmac
import json
import os
import time
from typing import Any


def _b64url(data: bytes) -> str:
    return base64.urlsafe_b64encode(data).rstrip(b'=').decode('ascii')


def make_jwt(access_key: str, secret_key: str, now: int | None = None) -> str:
    now = now or int(time.time())
    header = {'alg': 'HS256', 'typ': 'JWT'}
    payload = {'iss': access_key, 'exp': now + 1800, 'nbf': now - 5}
    header_b64 = _b64url(json.dumps(header, separators=(',', ':')).encode())
    payload_b64 = _b64url(json.dumps(payload, separators=(',', ':')).encode())
    signing_input = f'{header_b64}.{payload_b64}'.encode()
    signature = hmac.new(secret_key.encode(), signing_input, hashlib.sha256).digest()
    return f'{header_b64}.{payload_b64}.{_b64url(signature)}'


def make_jwt_from_env() -> str:
    ak = os.getenv('KLING_ACCESS_KEY')
    sk = os.getenv('KLING_SECRET_KEY')
    if not ak or not sk:
        raise RuntimeError('KLING_ACCESS_KEY / KLING_SECRET_KEY missing')
    return make_jwt(ak, sk)