package oauth2

import (
	"errors"
	"net/http"

	"github.com/gin-gonic/gin"
	"github.com/ory/fosite"

	"edge-infra.dev/pkg/edge/iam/apperror"
	"edge-infra.dev/pkg/edge/iam/config"
)

func (oauth2 *OAuth2) userInfo(ctx *gin.Context) error {
	userinfo := NewUserInfo(config.GetJWTStrategy(), oauth2.ProfileStorage)
	tokenFromRequest := fosite.AccessTokenFromRequest(ctx.Request)
	if len(tokenFromRequest) == 0 {
		ctx.Header("WWW-Authenticate", `Bearer realm="userinfo"`)
		return apperror.NewStatusError(errors.New("missing authorization"), http.StatusUnauthorized)
	}
	err := userinfo.ValidateAccessToken(ctx, tokenFromRequest)
	if err != nil {
		ctx.Header("WWW-Authenticate", `Bearer realm="userinfo" error="invalid_token"`)
		return apperror.NewStatusError(err, http.StatusUnauthorized)
	}
	sub, err := userinfo.GetSubject(ctx, tokenFromRequest)
	if err != nil || len(sub) == 0 {
		ctx.Header("WWW-Authenticate", `Bearer realm="userinfo" error="invalid_token"`)
		return apperror.NewStatusError(err, http.StatusUnauthorized)
	}
	idClaims, err := userinfo.GetIdentityClaims(ctx, sub)
	if err != nil {
		ctx.Header("WWW-Authenticate", `Bearer realm="userinfo" error="server_error"`)
		return apperror.NewStatusError(err, http.StatusInternalServerError)
	}
	ctx.JSON(http.StatusOK, idClaims)
	return nil
}