package services

import (
	"context"
	"errors"
	"platform/web/auth"
	"platform/web/core"
	client2 "platform/web/domains/client"
	m "platform/web/models"
	q "platform/web/queries"
	"time"

	"gorm.io/gorm"
)

var Auth = &authService{}

type authService struct{}

// OauthAuthorizationCode 验证授权码
func (s *authService) OauthAuthorizationCode(ctx context.Context, client *m.Client, code, redirectURI, codeVerifier string) (*TokenDetails, error) {
	// TODO: 从数据库验证授权码
	return nil, errors.New("TODO")
}

// OauthClientCredentials 验证客户端凭证
func (s *authService) OauthClientCredentials(ctx context.Context, client *m.Client, scope ...string) (*TokenDetails, error) {

	var clientType auth.PayloadType
	switch client2.Spec(client.Spec) {
	case client2.SpecNative, client2.SpecBrowser:
		clientType = auth.PayloadPublicServer
	case client2.SpecWeb, client2.SpecTrusted:
		clientType = auth.PayloadSecuredServer
	}

	var permissions = make(map[string]struct{}, len(scope))
	for _, item := range scope {
		permissions[item] = struct{}{}
	}

	// 保存会话并返回令牌
	authCtx := auth.Context{
		Permissions: permissions,
		Payload: auth.Payload{
			Id:   client.ID,
			Type: clientType,
			Name: client.Name,
		},
	}

	// todo 数据库定义会话持续时间
	token, err := Session.Create(ctx, authCtx, false)
	if err != nil {
		return nil, err
	}

	return token, nil
}

// OauthRefreshToken 验证刷新令牌
func (s *authService) OauthRefreshToken(ctx context.Context, _ *m.Client, refreshToken string, scope ...[]string) (*TokenDetails, error) {
	// TODO: 从数据库验证刷新令牌
	details, err := Session.Refresh(ctx, refreshToken)
	if err != nil {
		return nil, err
	}

	return details, nil
}

// OauthPassword 验证密码
func (s *authService) OauthPassword(ctx context.Context, _ *m.Client, data *GrantPasswordData, ip, agent string) (*TokenDetails, error) {
	var user *m.User
	err := q.Q.Transaction(func(tx *q.Query) error {

		switch data.LoginType {
		case OauthGrantPasswordTypePhoneCode:
			// 验证验证码
			err := Verifier.VerifySms(ctx, data.Username, data.Password)
			if err != nil {
				if errors.Is(err, ErrVerifierServiceInvalid) {
					return ErrOauthInvalidRequest
				}
				return err
			}

			// 查找用户
			user, err =
				tx.User.Where(tx.User.Phone.Eq(data.Username)).Take()
			if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
				return err
			}
		case OauthGrantPasswordTypeEmailCode:
			var err error
			user, err = tx.User.Where(tx.User.Email.Eq(data.Username)).Take()
			if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
				return err
			}
		case OauthGrantPasswordTypePassword:
			var err error
			user, err = tx.User.
				Where(tx.User.Or(
					tx.User.Phone.Eq(data.Username),
					tx.User.Email.Eq(data.Username),
					tx.User.Username.Eq(data.Username),
				)).
				Take()
			if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
				return err
			}
		default:
			return ErrOauthInvalidRequest
		}

		// 如果用户不存在，初始化用户 todo 初始化默认权限信息
		if user == nil {
			user = &m.User{
				Phone:    data.Username,
				Username: data.Username,
			}
		}

		// 更新用户的登录时间
		user.LastLogin = core.LocalDateTime(time.Now())
		user.LastLoginHost = ip
		user.LastLoginAgent = agent
		if err := tx.User.Omit(q.User.AdminID).Save(user); err != nil {
			return err
		}

		return nil
	})
	if err != nil {
		return nil, err
	}

	// 保存到会话
	authCtx := auth.Context{
		Payload: auth.Payload{
			Id:     user.ID,
			Type:   auth.PayloadUser,
			Name:   user.Name,
			Avatar: user.Avatar,
		},
	}

	token, err := Session.Create(ctx, authCtx, data.Remember)
	if err != nil {
		return nil, err
	}

	return token, nil
}

type GrantCodeData struct {
	Code         string `json:"code" form:"code"`
	RedirectURI  string `json:"redirect_uri" form:"redirect_uri"`
	CodeVerifier string `json:"code_verifier" form:"code_verifier"`
}

type GrantClientData struct {
}

type GrantRefreshData struct {
	RefreshToken string `json:"refresh_token" form:"refresh_token"`
}

type GrantPasswordData struct {
	LoginType OauthGrantLoginType `json:"login_type" form:"login_type"`
	Username  string              `json:"username" form:"username"`
	Password  string              `json:"password" form:"password"`
	Remember  bool                `json:"remember" form:"remember"`
}

type OauthGrantType string

const (
	OauthGrantTypeAuthorizationCode = OauthGrantType("authorization_code")
	OauthGrantTypeClientCredentials = OauthGrantType("client_credentials")
	OauthGrantTypeRefreshToken      = OauthGrantType("refresh_token")
	OauthGrantTypePassword          = OauthGrantType("password")
)

type OauthGrantLoginType string

const (
	OauthGrantPasswordTypePassword  = OauthGrantLoginType("password")
	OauthGrantPasswordTypePhoneCode = OauthGrantLoginType("phone_code")
	OauthGrantPasswordTypeEmailCode = OauthGrantLoginType("email_code")
)

type AuthServiceError string

func (e AuthServiceError) Error() string {
	return string(e)
}

var (
	ErrOauthInvalidRequest       = AuthServiceError("invalid_request")
	ErrOauthInvalidClient        = AuthServiceError("invalid_client")
	ErrOauthInvalidGrant         = AuthServiceError("invalid_grant")
	ErrOauthInvalidScope         = AuthServiceError("invalid_scope")
	ErrOauthUnauthorizedClient   = AuthServiceError("unauthorized_client")
	ErrOauthUnsupportedGrantType = AuthServiceError("unsupported_grant_type")
)