package auth

import (
	"encoding/json"
	"net/http"
	"time"

	"github.com/labstack/echo/v4"

	"dynatron.me/x/blasphem/internal/common"
	"dynatron.me/x/blasphem/internal/generate"
	"dynatron.me/x/blasphem/pkg/auth/provider"
)

type (
	TokenType      string
	RefreshTokenID string
)

type RefreshToken struct {
	ID                    RefreshTokenID      `json:"id"`
	UserID                UserID              `json:"user_id"`
	ClientID              *ClientID           `json:"client_id"`
	ClientName            *string             `json:"client_name"`
	ClientIcon            *string             `json:"client_icon"`
	TokenType             TokenType           `json:"token_type"`
	CreatedAt             *common.PyTimestamp `json:"created_at"`
	AccessTokenExpiration json.Number         `json:"access_token_expiration"`
	Token                 string              `json:"token"`
	JWTKey                string              `json:"jwt_key"`
	LastUsedAt            *common.PyTimestamp `json:"last_used_at"`
	LastUsedIP            *string             `json:"last_used_ip"`
	CredentialID          *CredID             `json:"credential_id"`
	Version               *string             `json:"version"`
}

func (rt *RefreshToken) IsValid() bool {
	return rt.JWTKey != ""
}

type authCodeStore struct {
	s        map[authCodeTuple]flowResult
	lastCull time.Time
}

type authCodeTuple struct {
	ClientID ClientID
	Code     AuthCode
}

func (t *authCodeTuple) IsValid() bool {
	// TODO: more validation than this
	return t.Code != ""
}

type flowResult struct {
	Time time.Time
	Cred *Credentials
	// TODO: remove this comment below \/
	//user provider.ProviderUser `json:"-"`
}

// OAuth 4.2.1 spec recommends 10 minutes
const authCodeExpire = 10 * time.Minute

func (f *flowResult) IsValid(now time.Time) bool {
	if now.After(f.Time.Add(authCodeExpire)) {
		return false
	}

	return true
}

func (ss *authCodeStore) init() {
	ss.s = make(map[authCodeTuple]flowResult)
}

const cullInterval = 5 * time.Minute

func (ss *authCodeStore) cull() {
	if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {
		for k, v := range ss.s {
			if !v.IsValid(now) {
				delete(ss.s, k)
			}
		}
	}
}

func (ss *authCodeStore) store(clientID ClientID, cred *Credentials) string {
	ss.cull()
	code := generate.UUID()
	ss.s[authCodeTuple{clientID, AuthCode(code)}] = flowResult{Time: time.Now(), Cred: cred}

	return code
}

func (ss *authCodeStore) verify(tr *TokenRequest, r *http.Request) (*Credentials, bool) {
	key := authCodeTuple{tr.ClientID, tr.Code}
	if t, hasCode := ss.s[key]; hasCode {
		defer delete(ss.s, key)
		// TODO: JWT
		if t.IsValid(time.Now()) {
			return t.Cred, true
		}
	}

	return nil, false
}

type Credentials struct {
	ID               CredID           `json:"id"`
	UserID           UserID           `json:"user_id"`
	AuthProviderType string           `json:"auth_provider_type"`
	AuthProviderID   *string          `json:"auth_provider_id"`
	DataRaw          *json.RawMessage `json:"data,omitempty"`

	User provider.ProviderUser `json:"-"`
}

func (cred *Credentials) MarshalJSON() ([]byte, error) {
	type CredAlias Credentials // alias so ø method set and we don't recurse
	nCd := (*CredAlias)(cred)

	if cred.User != nil {
		providerData := cred.User.UserData()
		if providerData != nil {
			b, err := json.Marshal(providerData)
			if err != nil {
				return nil, err
			}

			dr := json.RawMessage(b)
			nCd.DataRaw = &dr
		}
	}

	return json.Marshal(nCd)
}

func (a *Authenticator) verifyAndGetCredential(tr *TokenRequest, r *http.Request) *Credentials {
	cred, success := a.authCodes.verify(tr, r)
	if !success {
		return nil
	}

	return cred
}

const defaultExpiration = 15 * time.Minute

func (a *Authenticator) NewAuthCode(clientID ClientID, cred *Credentials) string {
	return a.authCodes.store(clientID, cred)
}

type GrantType string

const (
	GTAuthorizationCode GrantType = "authorization_code"
	GTRefreshToken      GrantType = "refresh_token"
)

type ClientID common.ClientID

func (c *ClientID) IsValid() bool {
	// TODO: || !indieauth.VerifyClientID(rq.ClientID)?
	return *c != ""
}

type AuthCode string

func (ac *AuthCode) IsValid() bool {
	return *ac != ""
}

type TokenRequest struct {
	ClientID  ClientID  `form:"client_id"`
	Code      AuthCode  `form:"code"`
	GrantType GrantType `form:"grant_type"`
}

func (a *Authenticator) TokenHandler(c echo.Context) error {
	rq := new(TokenRequest)
	err := c.Bind(rq)
	if err != nil {
		return err
	}

	switch rq.GrantType {
	case GTAuthorizationCode:
		if !rq.ClientID.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid client ID"})
		}

		if !rq.Code.IsValid() {
			return c.JSON(http.StatusBadRequest, AuthError{Error: "invalid_request", Description: "invalid code"})
		}

		if cred := a.verifyAndGetCredential(rq, c.Request()); cred != nil {
			// TODO: success
			user, err := a.getOrCreateUser(cred)
			if err != nil {
				return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})
			}

			if err := user.allowedToAuth(); err != nil {
				return c.JSON(http.StatusUnauthorized, AuthError{Error: "access_denied", Description: err.Error()})
			}
			return c.String(http.StatusOK, "token good I guess")
		}
	case GTRefreshToken:
		return c.String(http.StatusNotImplemented, "not implemented")
	}

	return c.String(http.StatusUnauthorized, "token bad I guess")
}