/*
    This file is part of jellything (https://codeberg.org/metamuffin/jellything)
    which is licensed under the GNU Affero General Public License (version 3); see /COPYING.
    Copyright (C) 2023 metamuffin <metamuffin.org>
*/
pub mod admin;
pub mod session;
pub mod settings;

use self::session::SessionCookie;
use super::{error::MyError, layout::LayoutPage};
use crate::{
    database::{Database, User},
    routes::ui::{error::MyResult, home::rocket_uri_macro_r_home, layout::DynLayoutPage},
    CONF,
};
use anyhow::anyhow;
use argon2::{password_hash::Salt, Argon2, PasswordHasher};
use rocket::{
    form::{Contextual, Form},
    get,
    http::{Cookie, CookieJar},
    post,
    response::Redirect,
    uri, FromForm, State,
};
use serde::{Deserialize, Serialize};

#[derive(FromForm)]
pub struct RegisterForm {
    #[field(validate = len(8..128))]
    pub invitation: String,
    #[field(validate = len(4..32))]
    pub username: String,
    #[field(validate = len(4..64))]
    pub password: String,
}

#[get("/account/register")]
pub async fn r_account_register() -> DynLayoutPage<'static> {
    LayoutPage {
        title: "Register".to_string(),
        content: markup::new! {
            form.account[method="POST", action=""] {
                h1 { "Register for " @CONF.brand  }

                label[for="inp-invitation"] { "Invite Code: " }
                input[type="text", id="inp-invitation", name="invitation"]; br;

                label[for="inp-username"] { "Username: " }
                input[type="text", id="inp-username", name="username"]; br;
                label[for="inp-password"] { "Password: " }
                input[type="password", id="inp-password", name="password"]; br;

                input[type="submit", value="Register now!"];
            }
        },
        ..Default::default()
    }
}

#[derive(FromForm, Serialize, Deserialize)]
pub struct LoginForm {
    #[field(validate = len(4..32))]
    pub username: String,
    #[field(validate = len(..64))]
    pub password: String,
}

#[get("/account/login")]
pub fn r_account_login() -> DynLayoutPage<'static> {
    LayoutPage {
        title: "Log in".to_string(),
        content: markup::new! {
            form.account[method="POST", action=""] {
                h1 { "Log in to your Account" }

                label[for="inp-username"] { "Username: " }
                input[type="text", id="inp-username", name="username"]; br;
                label[for="inp-password"] { "Password: " }
                input[type="password", id="inp-password", name="password"]; br;

                input[type="submit", value="Login"];

                p { "While logged in, a cookie will be used to identify you." }
            }
        },
        ..Default::default()
    }
}

#[get("/account/logout")]
pub fn r_account_logout() -> DynLayoutPage<'static> {
    LayoutPage {
        title: "Log out".to_string(),
        content: markup::new! {
            form.account[method="POST", action=""] {
                h1 { "Log out" }
                input[type="submit", value="Log out."];
            }
        },
        ..Default::default()
    }
}

#[post("/account/register", data = "<form>")]
pub fn r_account_register_post<'a>(
    database: &'a State<Database>,
    form: Form<Contextual<'a, RegisterForm>>,
) -> MyResult<DynLayoutPage<'a>> {
    let form = match &form.value {
        Some(v) => v,
        None => return Err(format_form_error(form)),
    };

    if database.invites.remove(&form.invitation).unwrap().is_none() {
        return Err(MyError(anyhow!("invitation invalid")));
    }
    match database
        .users
        .compare_and_swap(
            &form.username,
            None,
            Some(&User {
                display_name: form.username.clone(),
                name: form.username.clone(),
                password: hash_password(&form.username, &form.password),
                admin: false,
            }),
        )
        .unwrap()
    {
        Ok(_) => Ok(LayoutPage {
            title: "Registration successful".to_string(),
            content: markup::new! {
                h1 { "Registration successful, you may log in now." }
            },
            ..Default::default()
        }),
        Err(_) => Err(MyError(anyhow!("username is taken"))),
    }
}

#[post("/account/login", data = "<form>")]
pub fn r_account_login_post(
    database: &State<Database>,
    jar: &CookieJar,
    form: Form<Contextual<LoginForm>>,
) -> MyResult<Redirect> {
    let form = match &form.value {
        Some(v) => v,
        None => return Err(format_form_error(form)),
    };

    login_logic(jar, database, &form.username, &form.password)?;

    Ok(Redirect::found(uri!(r_home())))
}

#[post("/account/logout")]
pub fn r_account_logout_post(jar: &CookieJar) -> MyResult<Redirect> {
    jar.remove_private(Cookie::named("user"));
    Ok(Redirect::found(uri!(r_home())))
}

pub fn login_logic(
    jar: &CookieJar,
    database: &Database,
    username: &str,
    password: &str,
) -> MyResult<()> {
    // hashing the password regardless if the accounts exists to prevent timing attacks
    let password = hash_password(username, password);

    let user = database
        .users
        .get(&username.to_string())?
        .ok_or(anyhow!("invalid password"))?;

    if user.password != password {
        Err(anyhow!("invalid password"))?
    }

    jar.add_private(
        Cookie::build(
            "user",
            serde_json::to_string(&SessionCookie::new(user.name)).unwrap(),
        )
        .permanent()
        .finish(),
    );

    Ok(())
}

pub fn format_form_error<T>(form: Form<Contextual<T>>) -> MyError {
    let mut k = String::from("form validation failed:");
    for e in form.context.errors() {
        k += &format!(
            "\n\t{}: {e}",
            e.name
                .as_ref()
                .map(|e| e.to_string())
                .unwrap_or("<unknown>".to_string())
        )
    }
    MyError(anyhow!(k))
}

pub fn hash_password(username: &str, password: &str) -> Vec<u8> {
    Argon2::default()
        .hash_password(
            format!("{username}\0{password}").as_bytes(),
            <&str as TryInto<Salt>>::try_into("IYMa13osbNeLJKnQ1T8LlA").unwrap(),
        )
        .unwrap()
        .hash
        .unwrap()
        .as_bytes()
        .to_vec()
}