defmodule Guardian.Token.Jwt.Verify do
  @moduledoc """
  Verifies standard jwt fields
  """
  use Guardian.Token.Verify

  alias Guardian.Token.Verify

  @behaviour Guardian.Token.Verify

  @impl Guardian.Token.Verify
  @spec verify_claim(
          mod :: module,
          claim_key :: String.t(),
          claims :: Guardian.Token.claims(),
          options :: Guardian.options()
        ) :: {:ok, Guardian.Token.claims()} | {:error, atom}
  def verify_claim(mod, "iss", %{"iss" => iss} = claims, _opts) do
    issuer = apply(mod, :config, [:issuer])
    verify_issuer = apply(mod, :config, [:verify_issuer])

    cond do
      verify_issuer && issuer == iss -> {:ok, claims}
      verify_issuer -> {:error, :invalid_issuer}
      true -> {:ok, claims}
    end
  end

  def verify_claim(_mod, "nbf", %{"nbf" => nil} = claims, _opts), do: {:ok, claims}

  def verify_claim(mod, "nbf", %{"nbf" => nbf} = claims, _opts) do
    if Verify.time_within_drift?(mod, nbf) || nbf <= Guardian.timestamp() do
      {:ok, claims}
    else
      {:error, :token_not_yet_valid}
    end
  end

  def verify_claim(_mod, "exp", %{"exp" => nil} = claims, _opts), do: {:ok, claims}

  def verify_claim(mod, "exp", %{"exp" => exp} = claims, _opts) do
    if Verify.time_within_drift?(mod, exp) || exp >= Guardian.timestamp() do
      {:ok, claims}
    else
      {:error, :token_expired}
    end
  end

  def verify_claim(_mod, "auth_time", %{"auth_time" => nil} = claims, _opts), do: {:ok, claims}

  def verify_claim(mod, "auth_time", %{"auth_time" => auth_time} = claims, opts) do
    max_age = opts[:max_age] || mod.config(:max_age)

    cond do
      max_age == nil -> {:ok, claims}
      Verify.time_within_drift?(mod, auth_time) -> {:ok, claims}
      Guardian.timestamp() <= auth_time + Guardian.ttl_to_seconds(max_age) -> {:ok, claims}
      true -> {:error, :token_expired}
    end
  end

  def verify_claim(_mod, _claim_key, claims, _opts), do: {:ok, claims}
end