package database

import (
	"context"
	"time"

	"github.com/go-redis/redis"
	"github.com/ory/fosite"
	"github.com/pkg/errors"

	"edge-infra.dev/pkg/edge/iam/config"
)

// RevokeRefreshToken revokes a refresh token as specified in:
// https://tools.ietf.org/html/rfc7009#section-2.1
// If the particular
// token is a refresh token and the authorization server supports the
// revocation of access tokens, then the authorization server SHOULD
// also invalidate all access tokens based on the same authorization
// grant (see Implementation Note).
func (s *Store) RevokeRefreshToken(_ context.Context, requestID string) error {
	refreshReqKey := keyFrom(KeyPrefixRefreshTokenReq, requestID)
	signature, err := s.RedisDB.Get(refreshReqKey).Result()
	if err != nil {
		return fosite.ErrNotFound
	}

	refreshKey := keyFrom(KeyPrefixRefreshToken, signature)
	req, err := s.get(refreshKey)
	if err == redis.Nil {
		return errors.Wrap(fosite.ErrNotFound, "")
	} else if err != nil {
		return errors.WithStack(err)
	}

	req.UpdateTime = time.Now().Unix()
	req.Active = false
	err = s.set(refreshKey, *req, config.GetRefreshTokenTTL())
	if err != nil {
		return errors.WithStack(err)
	}

	return nil
}

// RevokeRefreshTokenMaybeGracePeriod revokes a refresh token as specified in:
// https://tools.ietf.org/html/rfc7009#section-2.1
// If the particular
// token is a refresh token and the authorization server supports the
// revocation of access tokens, then the authorization server SHOULD
// also invalidate all access tokens based on the same authorization
// grant (see Implementation Note).
//
// If the Refresh Token grace period is greater than zero in configuration the token
// will have its expiration time set as UTCNow + GracePeriod.
func (s *Store) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, _ string) error {
	return s.RevokeRefreshToken(ctx, requestID)
}

// RevokeAccessToken revokes an access token as specified in:
// https://tools.ietf.org/html/rfc7009#section-2.1
// If the token passed to the request
// is an access token, the server MAY revoke the respective refresh
// token as well.
func (s *Store) RevokeAccessToken(ctx context.Context, requestID string) error {
	tokenReqKey := keyFrom(KeyPrefixAccessTokenReq, requestID)
	signature, err := s.RedisDB.Get(tokenReqKey).Result()
	if err == redis.Nil {
		return nil
	} else if err != nil {
		return errors.WithStack(err)
	}

	err = s.DeleteAccessTokenSession(ctx, signature)
	if err != nil {
		return errors.WithStack(err)
	}

	return nil
}