/*
    This file is part of jellything (https://codeberg.org/metamuffin/jellything)
    which is licensed under the GNU Affero General Public License (version 3); see /COPYING.
    Copyright (C) 2025 metamuffin <metamuffin.org>
*/
use super::{AdminSession, Session};
use crate::{database::Database, routes::ui::error::MyError};
use anyhow::anyhow;
use log::warn;
use rocket::{
    async_trait,
    http::Status,
    outcome::Outcome,
    request::{self, FromRequest},
    Request, State,
};

impl Session {
    pub async fn from_request_ut(req: &Request<'_>) -> Result<Self, MyError> {
        let username;

        #[cfg(not(feature = "bypass-auth"))]
        {
            let token = req
                .query_value("session")
                .or_else(|| req.query_value("api_key"))
                .or_else(|| req.headers().get_one("X-MediaBrowser-Token").map(Ok))
                .or_else(|| {
                    req.headers()
                        .get_one("Authorization")
                        .and_then(parse_jellyfin_auth)
                        .map(Ok)
                }) // for jellyfin compat
                .map(|e| e.expect("str parse should not fail, right?"))
                .or(req.cookies().get("session").map(|cookie| cookie.value()))
                .ok_or(anyhow!("not logged in"))?;

            username = super::token::validate(token)?;
        };

        #[cfg(feature = "bypass-auth")]
        {
            username = "admin".to_string();
        }

        let db = req.guard::<&State<Database>>().await.unwrap();

        let user = db.get_user(&username)?.ok_or(anyhow!("user not found"))?;

        Ok(Session { user })
    }
}

fn parse_jellyfin_auth(h: &str) -> Option<&str> {
    for tok in h.split(" ") {
        if let Some(tok) = tok.strip_prefix("Token=\"") {
            if let Some(tok) = tok.strip_suffix("\"") {
                let tok = tok.strip_suffix("%3D").unwrap_or(tok);
                let tok = tok.strip_suffix("%3D").unwrap_or(tok);
                let tok = tok.strip_suffix("%3D").unwrap_or(tok);
                return Some(tok);
            }
        }
    }
    None
}

#[async_trait]
impl<'r> FromRequest<'r> for Session {
    type Error = MyError;
    async fn from_request<'life0>(
        request: &'r Request<'life0>,
    ) -> request::Outcome<Self, Self::Error> {
        match Session::from_request_ut(request).await {
            Ok(x) => Outcome::Success(x),
            Err(e) => {
                warn!("authentificated route rejected: {e:?}");
                Outcome::Forward(Status::Unauthorized)
            }
        }
    }
}

#[async_trait]
impl<'r> FromRequest<'r> for AdminSession {
    type Error = MyError;
    async fn from_request<'life0>(
        request: &'r Request<'life0>,
    ) -> request::Outcome<Self, Self::Error> {
        match Session::from_request_ut(request).await {
            Ok(x) => {
                if x.user.admin {
                    Outcome::Success(AdminSession(x))
                } else {
                    Outcome::Error((
                        Status::Unauthorized,
                        MyError(anyhow!("you are not an admin")),
                    ))
                }
            }
            Err(e) => {
                warn!("authentificated route rejected: {e:?}");
                Outcome::Forward(Status::Unauthorized)
            }
        }
    }
}