//! # Authorization
//! Authorization for a Reddit client is done by OAuth, which can be done multiple (3) ways. The
//! possible methods of authorization are Script, Installed App, and Web App. Currently, only
//! the first two are supported by orca. There are certain use cases for each app type.
//!
//! ## Scripts
//!
//! Script apps are used when you only want to authorize one user, that you own. This is the app
//! type used for bots. It's special because it can keep a secret (secrets can be stored on the
//! with the client). To create a script app, you first have to register it at
//! [https://www.reddit.com/prefs/apps](https://www.reddit.com/prefs/apps). Make sure you're logged
//! in as the user you want the script to authorize as when you register the app. At the bottom of
//! the page, click "Create New App", and fill in the name, select script type, enter a short
//! description (that will only be seen by you), leave the about url empty, and set the redirect uri
//! to `https://www.example.com`. (We do this because this field is only necessary for installed
//! apps but is required to be filled in anyway.)
//!
//! Once you create the app, a box should pop up that has the name of your app, and then shortly
//! below it a string of random characters. This is the id of the script. Then lower in the
//! properties there should be a field called "secret" with another long string of characters. That
//! is your app's secret.
//!
//! Once you have the id and secret, you can instantiate an `OAuthApp::Script` enum with the id and
//! secret of the script and the username and password of the user that registered the app, and
//! pass it into the `authorize` function of an `App` instance.
//!
//! ## Installed Apps
//!
//! Installed apps are used when you want your program to be able to be authorized as any user that
//! is using it. They are unable to keep a secret, so it is more complicated to authorize them.
//! An installed app has no secret id. Instead, it requires that the user visits a url to reddit.com
//! containing info for authorization. After authorizing, reddit.com will redirect the web browser
//! to the redirect uri specified during the app registration, with the tokens requested as
//! parameters. The redirect uri is usually the loopback address with a custom port, and the app
//! starts an HTTP server to recieve that request and the tokens included.
//!
//! Most of this work is implemented for you by orca. At the moment, there is some lacking in
//! customizability, but that will hopefully change in the future. Currently, orca opens the
//! reddit.com in the default browser using the `open` crate, and the redirect uri must always be
//! 127.0.0.1:7878.
//!
//! To create an installed app, the process at first is similar to Script app types. Visit
//! [https://www.reddit.com/prefs/apps](https://www.reddit.com/prefs/apps), and create a new app,
//! this time with the installed type. Fill in the name, set it to installed app, fill in a short
//! description (this time it's visible by anyone using your app), enter an about url if you want,
//! and set the redirect uri to exactly `http://127.0.0.1:7878` (hopefully this will be customizable
//! in the future).
//!
//! When you create this app, the id of the app will be shorly below the name in the box that comes
//! upp. Now in you application code, create an `OAuthApp::InstalledApp` with the id of you app and
//! the redirect uri exactly as you entered it when you registered the app. When you call the
//! `authorize` function with this as a parameter, it will open a web browser with either a reddit
//! login prompt, or if you are already logged in, a request for permission for your app. Once you
//! click allow, the page should redirect to a simple display of the words `Authorization successful`.
//! Hopefully this too will be customizable one day.
//!
//! Installed apps, unlike scripts, require periodic reauthorization, or will expire without the
//! possibility of refreshing if a permanent duration wasn't requested. This should be done
//! automatically by the `net::Connection` instance.

use std;
use std::collections::HashMap;
use std::thread;
use std::time::{Duration, Instant};
use std::cell::{Cell, RefCell};
use std::sync::Arc;
use rand::{self, Rng};

use hyper::{Error as HyperError, Method, Request};
use hyper::server::{Http, NewService, Response, Service};
use hyper::header::{Authorization, Basic};
use futures::Future;
use futures::future::ok;
use futures::sync::oneshot::{self, Sender};
use open;
use url::{self, Url};
use failure::Error;

use errors::RedditError;
use net::Connection;
use net::body_from_map;

/// Function type that is passed into OAuthApp::InstalledApp to generate response from code retrieval.
pub type ResponseGenFn = Fn(Result<String, InstalledAppError>) -> Result<Response, Response>;

/// Enum representing OAuth information that has been aquired from authorization. This should only be
/// used internally within orca.
#[derive(Debug, Clone)]
pub enum OAuth {
	/// Script app type
	Script {
		/// Id of the script
		id: String,
		/// Secret of the script
		secret: String,
		/// Username of the script user
		username: String,
		/// Password of the script user
		password: String,
		/// Token retrieved from script authorization
		token: String,
	},
	/// Installed app type
	InstalledApp {
		/// Id of the installed app
		id: String,
		/// Redirect url of the installed app
		redirect: String,
		/// Token currently in use
		token: RefCell<String>,
		/// The refresh token (to be used to retrieve a new token once the current one expires).
		/// Not present if temporary authorization was requested
		refresh_token: RefCell<Option<String>>,
		/// Instant when the current token expires
		expire_instant: Cell<Option<Instant>>,
	},
}

impl OAuth {
	/// Refreshes the token (only necessary for installed app types)
	pub fn refresh(&self, conn: &Connection) -> Result<(), Error> {
		match *self {
			OAuth::Script { .. } => {
				Ok(())
			},
			OAuth::InstalledApp {
				ref id,
				redirect: ref _redirect,
				ref token,
				ref refresh_token,
				ref expire_instant,
			} => {
				let old_refresh_token = if let Some(ref refresh_token) = *refresh_token.borrow() {
					refresh_token.clone()
				} else {
					return Err(RedditError::AuthError.into())
				};
				// Get the access token with the new code we just got
				let mut params: HashMap<&str, &str> = HashMap::new();
				params.insert("grant_type", "refresh_token");
				params.insert("refresh_token", &old_refresh_token);
				
				// Request for the access token
				let mut tokenreq = Request::new(
					Method::Post,
					"https://www.reddit.com/api/v1/access_token/.json".parse()?,
				); // httpS is important
				tokenreq.set_method(Method::Post);
				tokenreq.set_body(body_from_map(&params));
				tokenreq.headers_mut().set(Authorization(Basic {
					username: id.to_string(),
					password: None,
				}));
				
				// Send the request and get the access token as a response
				let response = conn.run_request(tokenreq)?;
				
				if let (Some(expires_in), Some(new_token), Some(scope)) = (
					response.get("expires_in"),
					response.get("access_token"),
					response.get("scope"),
				) {
					let expires_in = expires_in.as_u64().unwrap();
					let new_token = new_token.as_str().unwrap();
					let _scope = scope.as_str().unwrap();
					*token.borrow_mut() = new_token.to_string();
					expire_instant.set(Some(Instant::now() + Duration::new(expires_in.to_string().parse::<u64>().unwrap(), 0)));
					
					Ok(())
				} else {
					Err(Error::from(RedditError::AuthError))
				}
			}
		}
	}
	
	/// Authorize the app as a script
	/// # Arguments
	/// * `conn` - A refernce to the connection to authorize
	/// * `id` - The app id registered on Reddit
	/// * `secret` - The app secret registered on Reddit
	/// * `username` - The username of the user to authorize as
	/// * `password` - The password of the user to authorize as
	pub fn create_script(conn: &Connection, id: &str, secret: &str, username: &str, password: &str)
		-> Result<OAuth, Error> {
		// authorization paramaters to request
		let mut params: HashMap<&str, &str> = HashMap::new();
		params.insert("grant_type", "password");
		params.insert("username", &username);
		params.insert("password", &password);
		
		// Request for the bearer token
		let mut tokenreq = Request::new(
			Method::Post,
			"https://ssl.reddit.com/api/v1/access_token/.json".parse()?,
		); // httpS is important
		tokenreq.set_body(body_from_map(&params));
		tokenreq.headers_mut().set(Authorization(Basic {
			username: id.to_string(),
			password: Some(secret.to_string()),
		}));
		
		// Send the request and get the bearer token as a response
		let response = conn.run_request(tokenreq)?;
		
		if let Some(token) = response.get("access_token") {
			let token = token.as_str().unwrap().to_string();
			Ok(OAuth::Script {
				id: id.to_string(),
				secret: secret.to_string(),
				username: username.to_string(),
				password: password.to_string(),
				token,
			})
		} else {
			Err(RedditError::AuthError.into())
		}
	}
	
	/// Authorize the app as an installed app
	/// # Arguments
	/// * `conn` - A reference to the connection to authorize
	/// * `id` - The app id registered on Reddit
	/// * `redirect` - The app redirect URI registered on Reddit
	/// * `response_gen` - An optional function that generates a hyper Response to give to the user
	/// based on the result of the authorization attempt. The signature is `(Result<String, InstalledAppError) -> Result<Response, Response>`.
	/// The result passed in is either Ok with the code recieved, or Err with the error that occurred.
	/// The value returned should usually be an Ok(Response), but you can return Err(Response) to indicate
	/// that an error occurred within the function.
	/// * `scopes` - A reference to a Scopes instance representing the capabilites you are requesting
	/// as an installed app.
	pub fn create_installed_app<I: Into<Option<Arc<ResponseGenFn>>>>(conn: &Connection,
	                                                                 id: &str,
	                                                                 redirect: &str,
	                                                                 response_gen: I,
	                                                                 scopes: &Scopes)
		-> Result<OAuth, Error> {
		let response_gen = response_gen.into();
		// Random state string to identify this authorization instance
		let state = rand::thread_rng()
				.gen_ascii_chars()
				.take(16)
				.collect::<String>();
		
		let scopes = &scopes.to_string();
		let browser_uri = format!(
			"https://www.reddit.com/api/v1/authorize?client_id={}&response_type=code&\
					 state={}&redirect_uri={}&duration=permanent&scope={}",
			id, state, redirect, scopes
		);
		
		// Open the auth url in the browser so the user can authenticate the app
		thread::spawn(move || {
			open::that(browser_uri).expect("Failed to open browser");
		});
		
		// A oneshot future channel that the hyper server has access to to send the code back
		// to this thread.
		let (code_sender, code_reciever) = oneshot::channel::<Result<String, InstalledAppError>>();
		
		// Convert the redirect url into something parseable by the HTTP server
		let redirect_url = Url::parse(&redirect)?;
		let main_redirect = format!(
			"{}:{}",
			redirect_url.host_str().unwrap_or("127.0.0.1"),
			redirect_url.port().unwrap_or(7878).to_string()
		);
		
		// Set the default response generator if necessary
		let response_gen = if let Some(ref response_gen) = response_gen {
			Arc::clone(response_gen)
		} else {
			Arc::new(
				|res: Result<String, InstalledAppError>| -> Result<Response, Response> {
					match res {
						Ok(_) => Ok(Response::new().with_body("Successfully got the code")),
						Err(e) => Err(Response::new().with_body(format!("{}", e))),
					}
				},
			)
		};
		
		// Create a server with the instance of a NewInstalledAppService struct with the
		// responses given, the oneshot sender and the generated state string
		let server = Http::new().bind(
			&main_redirect.as_str().parse()?,
			NewInstalledAppService {
				sender: RefCell::new(Some(code_sender)),
				state: state.clone(),
				response_gen,
			},
		)?;
		
		// Create a code value that is optional but should be set eventually
		let code: RefCell<Result<String, InstalledAppError>> = RefCell::new(Err(InstalledAppError::NeverRecieved));
		
		// When the code_reciever oneshot resolves, set the new_code value.
		let finish = code_reciever.then(|new_code| -> Result<(), ()> {
			if let Ok(new_code) = new_code {
				match new_code {
					Ok(new_code) => {
						*code.borrow_mut() = Ok(new_code);
						Ok(())
					}
					Err(e) => {
						*code.borrow_mut() = Err(e);
						Err(())
					}
				}
			} else {
				Err(())
			}
		});
		
		// Run the server until the code future oneshot resolves and has set the code variable.
		server.run_until(finish)?;
		
		// Make sure we got the code. Return an error if we didn't.
		let code = match *code.borrow() {
			Ok(ref new_code) => new_code.clone(),
			Err(ref e) => return Err(e.clone().into()),
		};
		
		// Get the access token with the new code we just got
		let mut params: HashMap<&str, &str> = HashMap::new();
		params.insert("grant_type", "authorization_code");
		params.insert("code", &code);
		params.insert("redirect_uri", &redirect);
		
		// Request for the access token
		let mut tokenreq = Request::new(
			Method::Post,
			"https://ssl.reddit.com/api/v1/access_token/.json".parse()?,
		); // httpS is important
		tokenreq.set_body(body_from_map(&params));
		tokenreq.headers_mut().set(Authorization(Basic {
			username: id.to_string(),
			password: None,
		}));
		
		// Send the request and get the access token as a response
		let response = conn.run_request(tokenreq)?;
		
		if let (Some(expires_in), Some(token), Some(refresh_token), Some(scope)) = (
			response.get("expires_in"),
			response.get("access_token"),
			response.get("refresh_token"),
			response.get("scope"),
		) {
			let expires_in = expires_in.as_u64().unwrap();
			let token = token.as_str().unwrap();
			let refresh_token = refresh_token.as_str().unwrap();
			let _scope = scope.as_str().unwrap();
			Ok(OAuth::InstalledApp {
				id: id.to_string(),
				redirect: redirect.to_string(),
				token: RefCell::new(token.to_string()),
				refresh_token: RefCell::new(Some(refresh_token.to_string())),
				expire_instant: Cell::new(Some(
					Instant::now() + Duration::new(expires_in.to_string().parse::<u64>().unwrap(), 0),
				)),
			})
		} else {
			Err(Error::from(RedditError::AuthError))
		}
	}
}


/// A struct representing scopes that an installed app can request permission for.
/// To use, create an instance of the struct and set the fields you want to use to true.
///
/// Note: In the field documentation, "the user" refers to the currently authorized user
pub struct Scopes {
	/// See detailed info about the user
	pub identity: bool,
	/// Edit posts of the user
	pub edit: bool,
	/// Flair posts of the user
	pub flair: bool,
	/// Unknown
	pub history: bool,
	/// Unknown
	pub modconfig: bool,
	/// Unknown
	pub modflair: bool,
	/// Unknown
	pub modlog: bool,
	/// Unknown
	pub modposts: bool,
	/// Unknown
	pub modwiki: bool,
	/// Unknown
	pub mysubreddits: bool,
	/// Unknown
	pub privatemessages: bool,
	/// Unknown
	pub read: bool,
	/// Report posts on behalf of the user
	pub report: bool,
	/// Save posts to the user's account
	pub save: bool,
	/// Submit posts on behalf of the user
	pub submit: bool,
	/// Unknown
	pub subscribe: bool,
	/// Vote on things on behalf of the user
	pub vote: bool,
	/// Unknown
	pub wikiedit: bool,
	/// Unknown
	pub wikiread: bool,
	/// Unknown
	pub account: bool,
}

impl Scopes {
	/// Create a scopes instance with no permissions requested
	pub fn empty() -> Scopes {
		Scopes {
			identity: false,
			edit: false,
			flair: false,
			history: false,
			modconfig: false,
			modflair: false,
			modlog: false,
			modposts: false,
			modwiki: false,
			mysubreddits: false,
			privatemessages: false,
			read: false,
			report: false,
			save: false,
			submit: false,
			subscribe: false,
			vote: false,
			wikiedit: false,
			wikiread: false,
			account: false,
		}
	}
	
	/// Create a scopes instance with all permissions requested
	pub fn all() -> Scopes {
		Scopes {
			identity: true,
			edit: true,
			flair: true,
			history: true,
			modconfig: true,
			modflair: true,
			modlog: true,
			modposts: true,
			modwiki: true,
			mysubreddits: true,
			privatemessages: true,
			read: true,
			report: true,
			save: true,
			submit: true,
			subscribe: true,
			vote: true,
			wikiedit: true,
			wikiread: true,
			account: true,
		}
	}
	
	/// Convert the struct to a string representation to be sent to Reddit
	fn to_string(&self) -> String {
		let mut string = String::new();
		if self.identity {
			string.push_str("identity");
		}
		if self.edit {
			string.push_str(",edit");
		}
		if self.flair {
			string.push_str(",flair");
		}
		if self.history {
			string.push_str(",history");
		}
		if self.modconfig {
			string.push_str(",modconfig");
		}
		if self.modflair {
			string.push_str(",modflair");
		}
		if self.modlog {
			string.push_str(",modlog");
		}
		if self.modposts {
			string.push_str(",modposts");
		}
		if self.modwiki {
			string.push_str(",modwiki");
		}
		if self.mysubreddits {
			string.push_str(",mysubreddits");
		}
		if self.privatemessages {
			string.push_str(",privatemessages");
		}
		if self.read {
			string.push_str(",read");
		}
		if self.report {
			string.push_str(",report");
		}
		if self.save {
			string.push_str(",save");
		}
		if self.submit {
			string.push_str(",submit");
		}
		if self.subscribe {
			string.push_str(",subscribe");
		}
		if self.vote {
			string.push_str(",vote");
		}
		if self.wikiedit {
			string.push_str(",wikiedit");
		}
		if self.wikiread {
			string.push_str(",wikiread");
		}
		if self.account {
			string.push_str(",account");
		}
		
		string
	}
}

/// Enum that contains possible errors from a request for the OAuth Installed App type.
#[derive(Debug, Fail, Clone)]
pub enum InstalledAppError {
	/// Got a generic error in the request
	#[fail(display = "Got an unknown error: {}", msg)]
	Error {
		/// The message included in the error
		msg: String,
	},
	/// The state string wasn't present or did not match
	#[fail(display = "The states did not match")]
	MismatchedState,
	/// The code has already been recieved
	#[fail(display = "A code was already recieved")]
	AlreadyRecieved,
	/// No message was ever recieved
	#[fail(display = "No message was ever recieved")]
	NeverRecieved,
}

// The struct that creates new InstalledAppServices when necessary. Basically the same thing as the
// InstalledAppService, not sure why it's even necessary but I'm too scared to touch it now.
struct NewInstalledAppService {
	sender: RefCell<Option<Sender<Result<String, InstalledAppError>>>>,
	state: String,
	response_gen: Arc<ResponseGenFn>,
}

impl NewService for NewInstalledAppService {
	type Request = Request;
	type Response = Response;
	type Error = HyperError;

	type Instance = InstalledAppService;

	fn new_service(&self) -> Result<Self::Instance, std::io::Error> {
		let code_sender = RefCell::new(self.sender.pop());

		Ok(InstalledAppService {
			code_sender,
			state: self.state.clone(),
			response_gen: Arc::clone(&self.response_gen),
		})
	}
}

// The service that has the code_sender to send the code back to the main thread, the state to verify
// that this is the right authorization instance, the optional responses, and a tokio Core needed to
// clone the responses.
struct InstalledAppService {
	code_sender: RefCell<Option<Sender<Result<String, InstalledAppError>>>>,
	state: String,
	response_gen: Arc<ResponseGenFn>,
}

impl Service for InstalledAppService {
	type Request = Request;
	type Response = Response;
	type Error = HyperError;

	type Future = Box<Future<Item = Self::Response, Error = Self::Error>>;

	fn call(&self, req: Request) -> Self::Future {
		// Get the data from the request (the state and the code, or the error) in a HashMap
		let query_str = req.uri().as_ref();
		let query_str = &query_str[2..query_str.len()];
		let params: HashMap<_, _> = url::form_urlencoded::parse(query_str.as_bytes()).collect();

		// Get the response from a Result<Response, Response> and log an error when a response is
		// failed.
		fn split(res: Result<Response, Response>) -> Response {
			match res {
				Ok(t) => t,
				Err(t) => {
					error!("User's closure generated an error response {:?}", t);
					t
				}
			}
		}

		// Create a HTTP response based on the result of the code retrieval, the code sender, and the
		// response generator.
		fn create_res(gen: &ResponseGenFn, res: Result<String, InstalledAppError>, sender: &RefCell<Option<Sender<Result<String, InstalledAppError>>>>) -> Box<Future<Item = Response, Error = HyperError>> {
			let resp = if let Some(sender) = sender.pop() {
				let resp = gen(res.clone());
				sender.send(res).unwrap();
				resp
			} else {
				gen(Err(InstalledAppError::AlreadyRecieved))
			};
			Box::new(ok(split(resp)))
		}

		// If there was an error stop here, returning the error response
		if params.contains_key("error") {
			warn!("Got failed authorization. Error was {}", &params["error"]);
			let err = InstalledAppError::Error {
				msg: params["error"].to_string(),
			};
			create_res(&*self.response_gen, Err(err.clone()), &self.code_sender)
		} else {
			// Get the state if it exists
			let state = if let Some(state) = params.get("state") {
				state
			} else {
				// Return error response if we didn't get the state
				return create_res(
					&*self.response_gen,
					Err(InstalledAppError::MismatchedState),
					&self.code_sender,
				);
			};
			// Error if the state doesn't match
			if *state != self.state {
				error!(
					"State didn't match. Got state \"{}\", needed state \"{}\"",
					state, self.state
				);
				create_res(
					&*self.response_gen,
					Err(InstalledAppError::MismatchedState),
					&self.code_sender,
				)
			} else {
				// Get the code and send it with the oneshot sender back to the main thread
				let code = &params["code"];
				create_res(
					&*self.response_gen,
					Ok(code.clone().into()),
					&self.code_sender,
				)
			}
		}
	}
}

// A neat trait I came up with. If you have a RefCell<Option<T>>, then you can call pop() on it and
// it will take the value out of the RefCell and give it back. If it doesn't exist, then it just returns None.
trait RefCellExt<T> {
	fn pop(&self) -> Option<T>;
}

impl<T: std::fmt::Debug> RefCellExt<T> for RefCell<Option<T>> {
	fn pop(&self) -> Option<T> {
		if self.borrow().is_some() {
			return std::mem::replace(&mut *self.borrow_mut(), None);
		}

		None
	}
}