package pkce

import (
	"crypto/rand"
	"crypto/sha256"
	"encoding/base64"
)

const verifierLength = 43

// Generate creates a PKCE code verifier and its S256 challenge.
func Generate() (verifier, challenge string, err error) {
	// Generate random bytes and encode to URL-safe base64 (no padding)
	buf := make([]byte, 32)
	if _, err := rand.Read(buf); err != nil {
		return "", "", err
	}
	verifier = base64.RawURLEncoding.EncodeToString(buf)

	// Derive challenge: base64url(sha256(verifier))
	h := sha256.Sum256([]byte(verifier))
	challenge = base64.RawURLEncoding.EncodeToString(h[:])

	return verifier, challenge, nil
}