defmodule AuthPlug do
  @moduledoc """
  `AuthPlug` handles all our auth needs in just a handful of lines of code.
  Please see `` for setup instructions.
  import Plug.Conn,
    only: [
      assign: 3,
      clear_session: 1,
      configure_session: 2,
      delete_session: 2,
      halt: 1,
      put_resp_header: 3,
      resp: 3

  require Logger

  # Moch HTTPoison requests in Dev/Test, see:
  @httpoison (Application.compile_env(:auth_plug, :httpoison_mock) && AuthPlug.HTTPoisonMock) ||

  @doc """
  `init/1` initialises the options passed in and makes them
  available in the lifecycle of the `call/2` invocation (below).
  We pass in the `auth_url` key/value with the URL of the Auth service
  to redirect to if session is invalid/expired.
  def init(options) do
    # return options unmodified

  @doc """
  `call/2` is invoked to handle each HTTP request which `auth_plug` protects.
  If the `conn` contains a valid JWT in Authentication Headers,
  jwt query parameter or Phoenix Session, then continue to the protected route,
  else redirect to the `auth_url` with the referer set as the continuation URL.
  def call(conn, _options) do
    jwt = AuthPlug.Token.get_jwt(conn)

    case AuthPlug.Token.verify_jwt(jwt) do
      {:ok, values} ->
        AuthPlug.Token.put_current_token(conn, jwt, values)

      # log the JWT verify error then redirect:
      {:error, reason} ->
        Logger.error("AuthPlug: " <> Kernel.inspect(reason))

  # redirect to auth_url with referer to resume once authenticated:
  defp redirect_to_auth(conn) do
    to = get_auth_url(conn)

    # gotta tell the browser to temporarily redirect to the auth_url with 302
    status = 302

    # redirect to auth_url
    |> put_resp_header("location", to)
    # only our tests see this.
    |> resp(status, "unauthorized")
    # halt the conn so no further processing is done.
    |> halt()

  # Proxy function for to avoid breaking existing apps that rely on this:
  def create_jwt_session(conn, claims) do
    AuthPlug.Token.create_jwt_session(conn, claims)

  @doc """
  `logout/1` does exactly what you expect; logs the person out of your app.
  receives a `conn` (Plug.Conn) and unsets the session.
  This is super-useful in testing as we can easily reset a session.
  def logout(conn) do
    conn = update_in(conn.assigns, &Map.drop(&1, [:jwt, :person]))

    # see below. makes REST API req to auth_url/end_session
    |> end_session()
    |> delete_session(:jwt)
    |> clear_session()
    |> configure_session(drop: true)
    |> assign(:state, "logout")
    |> assign(:loggedin, false)

  @doc """
  `assign_jwt_to_socket/3` assigns a 'person' object containing information
  about the authenticated person to the socket
  in case the jwt parse is successful.
  It raises an error if jwt is not valid.
  This function is especially handy with LiveView.
  Invoke this as:
  socket = socket
    |> AuthPlug.assign_jwt_to_socket(&Phoenix.LiveView.assign_new/3, jwt)
  `socket` is the first argument to `assign_jwt_to_socket/3` so it's chainable.
  def assign_jwt_to_socket(socket, assign_new, jwt) do
    claims =
      |> AuthPlug.Token.verify_jwt!()
      |> AuthPlug.Helpers.strip_struct_metadata()
      |> Useful.atomize_map_keys()

    socket =
      #  Pass function by reference in Elixir:
      |> assign_new.(:person, fn -> claims end)
      |> assign_new.(:loggedin, fn -> true end)


  # `parse_body_response/1` parses the REST HTTP response
  # so your app can use the resulting JSON.
  defp parse_body_response(response) do
    body = Map.get(response, :body)
    {:ok, str_key_map} = Jason.decode(body)

    {:ok, Useful.atomize_map_keys(str_key_map)}

  # Send query to auth app to end session.
  # Returns tuple with status code and message
  def end_session_auth(auth_url) do
    with {:ok, response} <-, ''),
         {:status_code, 200} <- {:status_code, response.status_code} do
      {:ok, res} = parse_body_response(response)
      {200, res.message}
      {:status_code, status_code} ->
        {status_code, "status code: #{status_code}"}

      {:error, _httpoison_error} ->
        {400, "The request to the auth app failed"}

  @doc """
  `end_session/1` makes an HTTP Request to the auth_url
  to end the session. This in turn makes the update on the auth app
  to update the session.end so the owner of the "consumer" app
  knows when the person logged out.
  `end_session/1` is invoked by `AuthPlug.logout/1` (above)
  which will likely be the function called in practice.
  def end_session(conn) do
    auth_url = AuthPlug.Token.auth_url()
    client_id = AuthPlug.Token.client_id()
    jwt = AuthPlug.Token.get_jwt(conn)

    {:ok, claims_strs} = AuthPlug.Token.verify_jwt(jwt)
    claims = Useful.atomize_map_keys(claims_strs)

    {status_code, message} =

    resp(conn, status_code, message)

  @doc """
  `get_auth_url/2` returns a string representing
  the auth url.
  The first parameter is `conn`,
  the second is optional and represents
  the endpoint in your application where the auth application will
  redirect to after authentication.
  By default the second parameter value is `conn.request_path` which represents
  the current path.

  ## Examples

  iex> AuthPlug.get_auth_url(conn)

  iex> AuthPlug.get_auth_url(conn, "/mypage)
  def get_auth_url(conn, redirect_to \\ nil) do
    auth_url = AuthPlug.Token.auth_url()
    request_path = redirect_to || conn.request_path

    referer =
      |> AuthPlug.Helpers.get_baseurl_from_conn()
      |> Kernel.<>(request_path)
      |> URI.encode()

    client_id = AuthPlug.Token.client_id()