
from flask import Blueprint, request, jsonify, current_app
import os, hmac, hashlib, base64, time, json
license_bp = Blueprint('license', __name__)
SECRET = os.getenv('DRM_KEY','change_me')
TTL = int(os.getenv('TOKEN_TTL','30'))
def sign(payload):
    return base64.urlsafe_b64encode(hmac.new(SECRET.encode(), payload.encode(), hashlib.sha256).digest()).decode().rstrip('=')
@license_bp.route('/token', methods=['POST'])
def token():
    data = request.json or {}
    uid = data.get('user_id'); cid = data.get('content_id')
    if not uid or not cid:
        return jsonify({'error':'user_id and content_id required'}),400
    exp = int(time.time()) + TTL
    payload = json.dumps({'uid':uid,'cid':cid,'exp':exp})
    token = base64.urlsafe_b64encode(payload.encode()).decode().rstrip('=') + '.' + sign(payload)
    stream_url = f"{os.getenv('CDN_URL','https://cdn.example.com')}/secure/{cid}/master.m3u8?token={token}"
    return jsonify({'token':token,'stream_url':stream_url,'expires_in':TTL})
@license_bp.route('/validate', methods=['POST'])
def validate():
    token = request.json.get('token')
    try:
        payload_b64, sig = token.split('.')
        payload = base64.urlsafe_b64decode(payload_b64 + '===').decode()
        expected = sign(payload)
        if not hmac.compare_digest(expected, sig):
            return jsonify({'valid':False}),401
        data = json.loads(payload)
        if data.get('exp',0) < int(time.time()):
            return jsonify({'valid':False}),401
        return jsonify({'valid':True,'payload':data})
    except Exception:
        return jsonify({'valid':False}),401
