use actix_web::{get, web, HttpRequest, HttpResponse, Scope};
extern crate jsonwebtoken as jwt;

use jwt::{encode, EncodingKey, Header};
use jwtk::PublicKeyToJwk;
use serde_json::json;
use url::Url;
use url_params_serializer::to_url_params;

use crate::{auth::ClaimsPrincipal, oauth2::OAuthManager};

/// Our claims struct, it needs to derive `Serialize` and/or `Deserialize`
#[derive(Debug, Serialize, Deserialize)]
struct Claims {
    sub: String,
    company: String,
    exp: usize,
}

struct Oauth2Config {
    // key_file: String,
    // private_key: Mutex<Vec<u8>>,
    private_key: jwtk::SomePrivateKey,
    // encoding_key: EncodingKey,
}

// https://actix.rs/docs/application#configure
// this function could be located in a different module
pub fn config() -> Scope {
    let _ = std::fs::read("localhost.key").unwrap();

    let k = jwtk::SomePrivateKey::from_pem(
        &std::fs::read("localhost.key").unwrap(),
        match std::env::var("RSA_ALGO").as_deref() {
            Ok(alg) => jwtk::rsa::RsaAlgorithm::from_name(alg).unwrap(),
            _ => jwtk::rsa::RsaAlgorithm::RS256,
        },
    )
    .unwrap();

    let oauth_config = web::Data::new(Oauth2Config {
        // key_file: String::from("localhost.key"),
        private_key: k,
        // encoding_key: EncodingKey::from_rsa_pem(&std::fs::read("localhost.key").unwrap()).unwrap(),
    });

    web::scope("/v2")
        .app_data(oauth_config.clone())
        .service(authorize_endpoint)
        .service(token_endpoint)
        .service(keys_endpoint)
        .service(test_endpoint)
        .service(crate::server::openid_connect::metadata)
}

// jwk -> https://crates.io/crates/jsonwebkey

#[get("/auth")]
async fn authorize_endpoint(
    _auth_form: web::Form<crate::oauth2::auth::AuthRequest>,
    auth_request_query: web::Query<crate::oauth2::auth::AuthRequest>,
    _req: HttpRequest,
    _config: web::Data<Oauth2Config>,
) -> HttpResponse {
    // let issued_at = chrono::offset::Utc::now();
    // let expires_at = issued_at + chrono::Duration::minutes(10);

    // let json_claims = json!({ "company": "darkspace.dev", "iat": issued_at.timestamp(), "exp": expires_at.timestamp(), "sub": "<user-id>" });

    // let token = encode(
    //     &Header::new(Algorithm::RS256),
    //     &json_claims,
    //     &config.encoding_key,
    // )
    // .unwrap();

    /*
        let key: Hmac<Sha256> =
            Hmac::new_from_slice(b"some-secret asdf asdf asdf asdf asdf asdf asdf asdfa sdfaaf")
                .unwrap();

        let header = Header {
            algorithm: AlgorithmType::Rs256,
            ..Default::default()
        };
        let mut claims = BTreeMap::new();
        claims.insert("sub", "someone");
        let token = Token::new(header, claims).sign_with_key(&key).unwrap();
    */

    let auth_request = auth_request_query.0.to_owned();

    let mut auth_manager = OAuthManager::new();
    let auth_result = auth_manager.authorize(&auth_request);

    let mode = _req.headers().get("mode");

    if mode != Option::None && mode.unwrap() == "debug" {
        return match auth_result {
            Ok(v) => HttpResponse::Ok().json(v),
            Err(e) => HttpResponse::BadRequest().json(e),
        };
    }

    let redirect_result = match auth_result {
        Ok(v) => {
            // A response MUST ALWAYS have a callback_uri!
            let callback_uri = v.callback_uri.to_owned();
            Url::parse_with_params(callback_uri.unwrap().as_str(), to_url_params(v)).unwrap()
        }
        Err(e) => {
            let url_params = to_url_params(e.to_owned());
            let mut callback_uri = e.callback_uri.to_owned();

            if e.callback_uri == Option::None {
                let mut error_callback = String::from("");
                error_callback.push_str(_req.connection_info().scheme());
                error_callback.push_str("://");
                error_callback.push_str(_req.connection_info().host());
                error_callback.push_str("/error");

                callback_uri = Some(error_callback);
            }

            Url::parse_with_params(callback_uri.unwrap().as_str(), url_params).unwrap()
        }
    };

    HttpResponse::TemporaryRedirect()
        .append_header(("Location", redirect_result.to_string()))
        .finish()
}

#[get("/token")]
async fn token_endpoint(_req: HttpRequest, _config: web::Data<Oauth2Config>) -> HttpResponse {
    let error = crate::oauth2::token::TokenErrorResponse::new();

    HttpResponse::Ok()
        .content_type("application/json")
        .json(error)
}

#[get("/test")]
async fn test_endpoint(_req: HttpRequest, _config: web::Data<Oauth2Config>) -> HttpResponse {
    let mut claims_principal = ClaimsPrincipal::new();

    claims_principal.add_claim("role", json!("a"));
    claims_principal.add_claim("role", json!("b"));
    claims_principal.add_claim("role", json!("c"));
    claims_principal.add_claim("iat", json!(10));
    claims_principal.add_claim("expired", json!(false));

    let token = encode(
        &Header::default(),
        &claims_principal.as_claims_map(),
        &EncodingKey::from_secret("secret".as_ref()),
    )
    .unwrap();

    HttpResponse::Ok().content_type("text/plain").body(token)
}

#[get("/keys")]
async fn keys_endpoint(_req: HttpRequest, config: web::Data<Oauth2Config>) -> HttpResponse {
    let k_public_jwk = config.private_key.public_key_to_jwk().unwrap();

    let jwks = jwtk::jwk::JwkSet {
        keys: vec![k_public_jwk],
    };

    HttpResponse::Ok()
        .content_type("application/json")
        .json(jwks)
}