package op

import (
	"fmt"
	"html/template"
	"net/http"
	"time"

	"github.com/gorilla/csrf"
	"github.com/gorilla/mux"
	"github.com/ory/fosite"
	"github.com/ory/fosite/handler/openid"
	"github.com/ory/fosite/token/jwt"
)

func (op *OIDCHandler) AuthEndpoint(w http.ResponseWriter, r *http.Request) {
	namespace := mux.Vars(r)["namespace"]
	oauth2Provider := op.NamespaceProviders[namespace]
	templates_dir := op.config.Namespaces[namespace].TemplatesDir

	t := template.New("auth")
	t = template.Must(t.ParseFiles(
		templates_dir + "/auth.html",
	))

	ctx := r.Context()
	ar, err := oauth2Provider.NewAuthorizeRequest(ctx, r)
	if err != nil {
		oauth2Provider.WriteAuthorizeError(w, ar, err)
		return
	}

	if r.Method == "POST" {
		if r.Form.Get("username") == "" || r.Form.Get("password") == "" {
			oauth2Provider.WriteAuthorizeError(w, ar, fosite.ErrAccessDenied)
			return
		}

		account, err := op.handler.Login(r.Form.Get("username"), r.Form.Get("password"), namespace)
		if err != nil {
			if err = t.ExecuteTemplate(w, "auth", map[string]any{
				csrf.TemplateTag: csrf.TemplateField(r),
				"error":          fmt.Sprintf("Wrong username (%v) or password (%v) in namespace \"%v\"", r.Form.Get("username"), r.Form.Get("password"), namespace),
				"realError":      err,
			}); err != nil {
				oauth2Provider.WriteAuthorizeError(w, ar, err)
			}
			return
		}

		sessionData := &openid.DefaultSession{
			Claims: &jwt.IDTokenClaims{
				Issuer:      fmt.Sprintf("http://%s/%s", r.Host, namespace),
				Subject:     account.ID,
				Audience:    []string{},
				ExpiresAt:   time.Now().Add(time.Hour * 30),
				IssuedAt:    time.Now(),
				RequestedAt: time.Now(),
				AuthTime:    time.Now(),
				Extra:       make(map[string]interface{}),
			},
			Username: r.Form.Get("username"),
			Subject:  account.ID,
			Headers: &jwt.Headers{
				Extra: make(map[string]interface{}),
			},
		}

		// Manage claims
		for _, v := range ar.GetRequestedScopes() {
			ar.GrantScope(v)

			if v != "openid" { // TODO handle standard claims like profile, email, ...
				if mc, ok := op.config.Namespaces[namespace].MatchClaims[v]; ok {
					if d, ok := account.Data[mc]; ok {
						sessionData.Claims.Extra[v] = d
					}
				} else if d, ok := account.Data[v]; ok {
					sessionData.Claims.Extra[v] = d
				}
			}
		}

		response, err := oauth2Provider.NewAuthorizeResponse(ctx, ar, sessionData)
		if err != nil {
			oauth2Provider.WriteAuthorizeError(w, ar, err)
			return
		}

		oauth2Provider.WriteAuthorizeResponse(w, ar, response)
		return
	}

	err = t.ExecuteTemplate(w, "auth", map[string]any{
		// csrf.TemplateTag: csrf.TemplateField(r),
	})

	if err != nil {
		panic(err)
	}
}