package oauth

import (
	"crypto/sha256"
	"database/sql"
	"encoding/json"
	"fmt"
	"strconv"
	"strings"

	"github.com/RangelReale/osin"
	"github.com/felipeweb/osin-mysql"
	"github.com/gin-gonic/gin"
)

var osinServer *osin.Server

var rh RequestHandler

// Initialise initialises the oauth router.
func Initialise(handler RequestHandler) error {
	store := mysql.New(handler.GetDB(), "osin_")

	rh = handler

	config := osin.NewServerConfig()
	config.AllowClientSecretInParams = true
	config.AllowGetAccessRequest = true
	// Hmm... Wondering why we're making access tokens everlasting, and
	// disabling refresh tokens? http://telegra.ph/On-refresh-tokens-06-10
	config.AccessExpiration = 0
	osinServer = osin.NewServer(config, storage{store})
	return nil
}

// Client is the data passed to the template of the authorization page.
type Client struct {
	ID             string
	Name           string
	CreatorID      int
	Avatar         string
	Authorizations []string
}

func clientFromOsinClient(oc osin.Client) Client {
	userDataRaw := oc.GetUserData().(string)

	var userData [3]string
	json.Unmarshal([]byte(userDataRaw), &userData)

	cid, _ := strconv.Atoi(userData[1])

	return Client{
		ID:        oc.GetId(),
		Name:      userData[0],
		CreatorID: cid,
		Avatar:    userData[2],
		// Authorizations is managed by caller
	}
}

// RequestHandler contains the functions to which Oauth will delegate.
type RequestHandler interface {
	// Checks whether the user is logged in. If they are, it returns true. Otherwise, it redirects
	// the user to the login page.
	CheckLoggedInOrRedirect(c *gin.Context) bool
	// DisplayAuthorizePage renders the page where the user can validate the request for authorization
	DisplayAuthorizePage(client Client, c *gin.Context)
	// CheckCSRF is a function that checks the POSTed parameter `csrf` is valid.
	CheckCSRF(c *gin.Context, s string) bool
	// GetDB retrieves MySQL's DB.
	GetDB() *sql.DB
	// GetUserID retrieves the ID of the currently logged in user.
	GetUserID(c *gin.Context) int
}

// Authorize handles a request for user authorization
func Authorize(c *gin.Context) {
	resp := osinServer.NewResponse()
	defer resp.Close()

	// first we let osinserver handle the authorize request
	if ar := osinServer.HandleAuthorizeRequest(resp, c.Request); ar != nil {
		// we then make sure to be logged in
		if !rh.CheckLoggedInOrRedirect(c) {
			return
		}

		// and show the authorization page
		client := clientFromOsinClient(ar.Client)
		client.Authorizations = safeScopes(strings.Split(ar.Scope, " "))
		if c.PostForm("appid") != ar.Client.GetId() || !rh.CheckCSRF(c, c.PostForm("csrf")) {
			rh.DisplayAuthorizePage(client, c)
			return
		}

		// all good, authorization succeded
		ar.Authorized = c.PostForm("approve") == "1"
		ar.UserData = strconv.Itoa(rh.GetUserID(c))
		ar.Scope = strings.Join(client.Authorizations, " ")
		osinServer.FinishAuthorizeRequest(resp, c.Request, ar)
	}
	if resp.IsError && resp.InternalError != nil {
		fmt.Println(resp.InternalError)
	}
	osin.OutputJSON(resp, c.Writer, c.Request)
}

// an "identify" scope is taken for granted
var scopes = [...]string{
	"read_confidential",
	"write",
}

// safeScopes removes duplicates and invalid elements from the raw scopes
func safeScopes(rawScopes []string) []string {
	retScopes := make([]string, 0, len(scopes))
	for _, el := range scopes {
		for _, rawScope := range rawScopes {
			if rawScope == el {
				retScopes = append(retScopes, rawScope)
				break
			}
		}
	}
	return retScopes
}

// Token handles a request from a client to obtain an access token.
func Token(c *gin.Context) {
	resp := osinServer.NewResponse()
	defer resp.Close()

	_ = resp.Storage.(storage)

	c.Request.ParseForm()

	if ar := osinServer.HandleAccessRequest(resp, c.Request); ar != nil {
		ar.Authorized = true
		ar.GenerateRefresh = false

		redirectURI := c.Query("redirect_uri")
		// Get redirect uri from AccessRequest if it's there (e.g., refresh token request)
		if ar.RedirectUri != "" {
			redirectURI = ar.RedirectUri
		}

		ar.ForceAccessData = &osin.AccessData{
			Client:        ar.Client,
			AuthorizeData: ar.AuthorizeData,
			AccessData:    ar.AccessData,
			RedirectUri:   redirectURI,
			CreatedAt:     osinServer.Now(),
			ExpiresIn:     ar.Expiration,
			UserData:      ar.UserData,
			Scope:         ar.Scope,
		}

		// generate access token
		plainToken, _, _ := osinServer.AccessTokenGen.GenerateAccessToken(ar.ForceAccessData, ar.GenerateRefresh)
		ar.ForceAccessData.AccessToken = fmt.Sprintf("%x", sha256.Sum256([]byte(plainToken)))

		osinServer.FinishAccessRequest(resp, c.Request, ar)
		resp.Output["access_token"] = plainToken
	}
	if resp.IsError && resp.InternalError != nil {
		fmt.Printf("ERROR: %s\n", resp.InternalError)
	}
	delete(resp.Output, "expire_in")
	osin.OutputJSON(resp, c.Writer, c.Request)
}