package oauth2

import (
	"net/url"

	"edge-infra.dev/pkg/edge/iam/barcode"
	"edge-infra.dev/pkg/edge/iam/client"
	"edge-infra.dev/pkg/edge/iam/config"
	"edge-infra.dev/pkg/edge/iam/profile"
	"edge-infra.dev/pkg/edge/iam/session"
	"edge-infra.dev/pkg/edge/iam/util"

	"github.com/gin-gonic/gin"
	"github.com/gorilla/sessions"
	"github.com/ory/fosite"
	"github.com/ory/fosite/compose"
)

type OAuth2 struct {
	fosite              fosite.OAuth2Provider
	LoginSessionStorage session.LoginSessionStorage
	ProfileStorage      profile.Storage
	store               sessions.Store
}

func NewOAuth2(router *gin.Engine, store sessions.Store, storage interface{}) *OAuth2 {
	oauth2 := &OAuth2{
		fosite:              newFosite(storage),
		LoginSessionStorage: storage.(session.LoginSessionStorage),
		ProfileStorage:      storage.(profile.Storage),
		store:               store,
	}
	// register endpoints
	router.GET("/oauth2/auth", util.MakeHandlerFunc(oauth2.auth))
	router.POST("/oauth2/token", util.MakeHandlerFunc(oauth2.token))
	router.GET("/userinfo", util.MakeHandlerFunc(oauth2.userInfo))
	router.POST("/userinfo", util.MakeHandlerFunc(oauth2.userInfo))
	router.GET("/.well-known/openid-configuration", oauth2.wellknown)
	router.GET("/.well-known/jwks.json", oauth2.jwks)
	router.POST("/oauth2/setup-auth", oauth2.loginOptions)

	return oauth2
}

func newFosite(storage interface{}) fosite.OAuth2Provider {
	cfg := &compose.Config{
		RefreshTokenScopes:  []string{"offline", "offline_access"},
		AccessTokenLifespan: config.AccessTokenLifespan(),
		RedirectSecureChecker: func(_ *url.URL) bool {
			return true // override to allow insecure redirect URL
		},
		AuthorizeCodeLifespan:      config.GetAuthCodeLifeSpan(),
		SendDebugMessagesToClients: !config.IsProduction(),
	}

	provider := compose.Compose(
		cfg,
		storage,
		&compose.CommonStrategy{
			CoreStrategy: compose.NewOAuth2JWTStrategy(
				config.PrivateKey(),
				compose.NewOAuth2HMACStrategy(cfg, config.Secret(), nil),
			),
			OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(cfg, config.PrivateKey()),
			JWTStrategy:                config.GetJWTStrategy(),
		},
		&fosite.BCrypt{
			WorkFactor: config.FositeBcryptCost(),
		},

		compose.OAuth2AuthorizeExplicitFactory,
		compose.OAuth2RefreshTokenGrantFactory,
		RefreshTokenVerifyFactory,
		client.RolesFactory,
		compose.OAuth2ClientCredentialsGrantFactory,
		compose.OAuth2TokenIntrospectionFactory,
		compose.OAuth2TokenRevocationFactory,
		compose.OAuth2PKCEFactory,

		compose.OpenIDConnectExplicitFactory,
		compose.OpenIDConnectRefreshFactory,

		barcode.ScopeFactory,
		barcode.CodeGrantFactory,
		barcode.GrantFactory,
	)

	return provider
}