defmodule SsoBsn.Accounts do
  @moduledoc """
  The Accounts context.
  """

  import Ecto.Query, warn: false
  alias SsoBsn.Repo

  alias SsoBsn.Accounts.{User, UserToken, UserKey}

  ## Database getters

  def reload_user(user), do: Repo.reload(user) |> Repo.preload(:keys)

  @doc """
  Gets a user by username.

  ## Examples

      iex> get_user_by_username("foo")
      %User{}

      iex> get_user_by_username("unknown")
      nil

  """
  def get_user_by_username(username) when is_binary(username) do
    Repo.get_by(User, username: username) |> Repo.preload(:keys)
  end

  @doc """
  Gets a single user.

  Raises `Ecto.NoResultsError` if the User does not exist.

  ## Examples

      iex> get_user!(123)
      %User{}

      iex> get_user!(456)
      ** (Ecto.NoResultsError)

  """
  def get_user!(id), do: Repo.get!(User, id) |> Repo.preload(:keys)

  ## User registration

  @doc """
  Registers a user.

  ## Examples

      iex> register_user(%{field: value})
      {:ok, %User{}}

      iex> register_user(%{field: bad_value})
      {:error, %Ecto.Changeset{}}

  """
  def register_user(attrs) do
    %User{}
    |> User.registration_changeset(attrs)
    |> Repo.insert()
  end

  @doc """
  Returns an `%Ecto.Changeset{}` for tracking user changes.

  ## Examples

      iex> change_user_registration(user)
      %Ecto.Changeset{data: %User{}}

  """
  def change_user_registration(%User{} = user, attrs \\ %{}) do
    User.registration_changeset(user, attrs)
  end

  ## Settings

  @doc """
  Returns an `%Ecto.Changeset{}` for changing the user username.

  ## Examples

      iex> change_user_username(user)
      %Ecto.Changeset{data: %User{}}

  """
  def change_user_username(user, attrs \\ %{}) do
    User.username_changeset(user, attrs)
  end

  ## Authentication

  def authentication_challenge(username \\ nil) do
    allowed_credentials =
      if username && String.trim(username) != "",
        do:
          get_user_by_username(username).keys |> Enum.map(&%{id: &1.key_id, type: "public-key"}),
        else: []

    challenge = Wax.new_authentication_challenge(allowed_credentials: allowed_credentials)

    {{username, challenge},
     %{
       challenge: Base.encode64(challenge.bytes, padding: false),
       allowCredentials: allowed_credentials
     }}
  end

  def authenticate_user({username, challenge}, %{
        "clientData" => client_data_json,
        "authenticatorData" => authenticator_data_b64,
        "signature" => sig_b64,
        "id" => credential_id,
        "type" => "public-key",
        "userHandle" => maybe_user_handle_b64
      }) do
    authenticator_data_raw = Base.decode64!(authenticator_data_b64)
    sig_raw = Base.decode64!(sig_b64)

    user = case Base.decode64(maybe_user_handle_b64) do
      {:ok, <<user_id::64>>} -> get_user!(user_id)
      _ ->get_user_by_username(username)
    end

    case Wax.authenticate(
           credential_id,
           authenticator_data_raw,
           sig_raw,
           client_data_json,
           challenge,
           user.keys
           |> Enum.map(&{&1.key_id, &1.cose_key})
         ) do
      {:ok, _result} -> {:ok, user}
      {:error, error} -> {:error, error}
    end
  end

  ## Registration

  @doc """
    Begin registration of a new webauthn key.
  """
  def registration_challenge(user) do
    challenge = Wax.new_registration_challenge()

    {challenge,
     %{
       attestation: "none",
       challenge: Base.encode64(challenge.bytes, padding: false),
       excludeCredentials:
         (user |> Repo.preload([:keys])).keys |> Enum.map(&%{id: &1.key_id, type: "public-key"}),
       rp: %{
         id: challenge.rp_id,
         name: "BSN SSO"
       },
       timeout: 60000,
       user: %{
         id: Base.encode64(<<user.id::64>>, padding: false),
         name: user.username,
         displayName: user.username
       }
     }}
  end

  def register_key(user, challenge, %{
        "attestation64" => attestation_64,
        "clientData" => client_data,
        "id" => id,
        "type" => "public-key"
      }) do
    attestation = Base.decode64!(attestation_64, padding: false)

    case Wax.register(attestation, client_data, challenge) do
      {:ok, {authenticator_data, _result}} ->
        user
        |> User.add_key_changeset()
        |> UserKey.new(%{
          key_id: id,
          cose_key: authenticator_data.attested_credential_data.credential_public_key
        })
        |> Repo.insert()

      {:error, e} ->
        {:error, e}
    end
  end

  ## Session

  @doc """
  Generates a session token.
  """
  def generate_user_session_token(user) do
    {token, user_token} = UserToken.build_session_token(user)
    Repo.insert!(user_token)
    token
  end

  @doc """
  Gets the user with the given signed token.
  """
  def get_user_by_session_token(token) do
    {:ok, query} = UserToken.verify_session_token_query(token)
    Repo.one(query) |> Repo.preload(:keys)
  end

  @doc """
  Deletes the signed token with the given context.
  """
  def delete_user_session_token(token) do
    Repo.delete_all(UserToken.token_and_context_query(token, "session"))
    :ok
  end

  def generate_user_login_token(user) do
    {token, user_token} = UserToken.build_login_token(user)
    Repo.insert!(user_token)
    token
  end

  def consume_login_token(login_token) do
    Repo.transaction(fn ->
      user_token = UserToken.token_and_context_query(login_token, "login") |> Repo.one() |> Repo.preload(:user)
      Repo.delete!(user_token)
      user_token.user
    end)
  end
end