use super::{
    db::{self, UserId},
    errors::TideResultExt,
};
use crate::Request;
use anyhow::{anyhow, Context};
use rand::thread_rng;
use rpc::auth as zed_auth;
use scrypt::{
    password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
    Scrypt,
};
use std::convert::TryFrom;
use surf::StatusCode;
use tide::Error;

pub async fn process_auth_header(request: &Request) -> tide::Result<UserId> {
    let mut auth_header = request
        .header("Authorization")
        .ok_or_else(|| {
            Error::new(
                StatusCode::BadRequest,
                anyhow!("missing authorization header"),
            )
        })?
        .last()
        .as_str()
        .split_whitespace();
    let user_id = UserId(auth_header.next().unwrap_or("").parse().map_err(|_| {
        Error::new(
            StatusCode::BadRequest,
            anyhow!("missing user id in authorization header"),
        )
    })?);
    let access_token = auth_header.next().ok_or_else(|| {
        Error::new(
            StatusCode::BadRequest,
            anyhow!("missing access token in authorization header"),
        )
    })?;

    let state = request.state().clone();
    let mut credentials_valid = false;
    for password_hash in state.db.get_access_token_hashes(user_id).await? {
        if verify_access_token(&access_token, &password_hash)? {
            credentials_valid = true;
            break;
        }
    }

    if !credentials_valid {
        Err(Error::new(
            StatusCode::Unauthorized,
            anyhow!("invalid credentials"),
        ))?;
    }

    Ok(user_id)
}

const MAX_ACCESS_TOKENS_TO_STORE: usize = 8;

pub async fn create_access_token(db: &dyn db::Db, user_id: UserId) -> tide::Result<String> {
    let access_token = zed_auth::random_token();
    let access_token_hash =
        hash_access_token(&access_token).context("failed to hash access token")?;
    db.create_access_token_hash(user_id, &access_token_hash, MAX_ACCESS_TOKENS_TO_STORE)
        .await?;
    Ok(access_token)
}

fn hash_access_token(token: &str) -> tide::Result<String> {
    // Avoid slow hashing in debug mode.
    let params = if cfg!(debug_assertions) {
        scrypt::Params::new(1, 1, 1).unwrap()
    } else {
        scrypt::Params::recommended()
    };

    Ok(Scrypt
        .hash_password(
            token.as_bytes(),
            None,
            params,
            &SaltString::generate(thread_rng()),
        )?
        .to_string())
}

pub fn encrypt_access_token(access_token: &str, public_key: String) -> tide::Result<String> {
    let native_app_public_key =
        zed_auth::PublicKey::try_from(public_key).context("failed to parse app public key")?;
    let encrypted_access_token = native_app_public_key
        .encrypt_string(&access_token)
        .context("failed to encrypt access token with public key")?;
    Ok(encrypted_access_token)
}

pub fn verify_access_token(token: &str, hash: &str) -> tide::Result<bool> {
    let hash = PasswordHash::new(hash)?;
    Ok(Scrypt.verify_password(token.as_bytes(), &hash).is_ok())
}