import hmac
import hashlib
import base64
import json

SECRET = b"super_secret_key"


def create_token(payload):
    payload_json = json.dumps(payload).encode()
    payload_b64 = base64.urlsafe_b64encode(payload_json)

    signature = hmac.new(SECRET, payload_b64, hashlib.sha256).hexdigest()

    return payload_b64.decode() + "." + signature


def verify_token(token):
    payload_b64, signature = token.split(".")

    expected_signature = hmac.new(
        SECRET,
        payload_b64.encode(),
        hashlib.sha256
    ).hexdigest()

    return hmac.compare_digest(signature, expected_signature)


# ---- szerver token generalasa ----

payload = {
    "user": "student",
    "role": "user"
}

token = create_token(payload)

print("Token:")
print(token)

print("\nToken valid:", verify_token(token))


# ---- kliens visszakuldi a tokent ----

print("\n--- Tampering with token ---")

payload_json = base64.urlsafe_b64decode(token.split(".")[0])
payload = json.loads(payload_json)

payload["role"] = "admin"

tampered_payload = base64.urlsafe_b64encode(json.dumps(payload).encode()).decode()

tampered_token = tampered_payload + "." + token.split(".")[1]

print("Tampered token:")
print(tampered_token)

print("\nToken valid:", verify_token(tampered_token))