'use strict';

exports = module.exports = {
    initialize: initialize,
    uninitialize: uninitialize,

    scope: scope,
    websocketAuth: websocketAuth
};

var accesscontrol = require('../accesscontrol.js'),
    assert = require('assert'),
    BearerStrategy = require('passport-http-bearer').Strategy,
    BoxError = require('../boxerror.js'),
    externalLdap = require('../externalldap.js'),
    HttpError = require('connect-lastmile').HttpError,
    LocalStrategy = require('passport-local').Strategy,
    passport = require('passport'),
    users = require('../users.js');

function initialize(callback) {
    assert.strictEqual(typeof callback, 'function');

    // serialize user into session
    passport.serializeUser(function (user, callback) {
        callback(null, user.id);
    });

    // deserialize user from session
    passport.deserializeUser(function(userId, callback) {
        users.get(userId, function (error, result) {
            if (error) return callback(null, null /* user */, error.message); // will end up as a 401. can happen if user with active session got deleted

            callback(null, result);
        });
    });

    // used when username/password is sent in request body. used in CLI login & oauth2 login route
    passport.use(new LocalStrategy(function (username, password, callback) {

        // TODO we should only do this for dashboard logins
        function createAndVerifyUserIfNotExist(identifier, password, callback) {
            assert.strictEqual(typeof identifier, 'string');
            assert.strictEqual(typeof password, 'string');
            assert.strictEqual(typeof callback, 'function');

            externalLdap.createAndVerifyUserIfNotExist(identifier.toLowerCase(), password, function (error, result) {
                if (error && error.reason === BoxError.BAD_STATE) return callback(null, false);
                if (error && error.reason === BoxError.BAD_FIELD) return callback(null, false);
                if (error && error.reason === BoxError.CONFLICT) return callback(null, false);
                if (error && error.reason === BoxError.NOT_FOUND) return callback(null, false);
                if (error && error.reason === BoxError.INVALID_CREDENTIALS) return callback(null, false);
                if (error) return callback(error);

                callback(null, result);
            });
        }

        if (username.indexOf('@') === -1) {
            users.verifyWithUsername(username, password, users.AP_WEBADMIN, function (error, result) {
                if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password, callback);
                if (error && error.reason === BoxError.INVALID_CREDENTIALS) return callback(null, false);
                if (error) return callback(error);
                if (!result) return callback(null, false);
                callback(null, result);
            });
        } else {
            users.verifyWithEmail(username, password, users.AP_WEBADMIN, function (error, result) {
                if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password, callback);
                if (error && error.reason === BoxError.INVALID_CREDENTIALS) return callback(null, false);
                if (error) return callback(error);
                if (!result) return callback(null, false);
                callback(null, result);
            });
        }
    }));

    // used for "Authorization: Bearer token" or access_token query param authentication
    passport.use(new BearerStrategy(function (token, callback) {
        accesscontrol.validateToken(token, callback);
    }));

    callback(null);
}

function uninitialize(callback) {
    assert.strictEqual(typeof callback, 'function');

    callback(null);
}

//  The scope middleware provides an auth middleware for routes.
//
//  It is used for API routes, which are authenticated using accesstokens.
//  Those accesstokens carry OAuth scopes and the middleware takes the required
//  scope as an argument and will verify the accesstoken against it.
//
//  See server.js:
//    var profileScope = routes.oauth2.scope('profile');
//
function scope(requiredScope) {
    assert.strictEqual(typeof requiredScope, 'string');

    var requiredScopes = requiredScope.split(',');

    return [
        passport.authenticate(['bearer'], { session: false }),

        function (req, res, next) {
            assert(req.authInfo && typeof req.authInfo === 'object');

            var error = accesscontrol.hasScopes(req.authInfo.authorizedScopes, requiredScopes);
            if (error) return next(new HttpError(403, error.message));

            next();
        }
    ];
}

function websocketAuth(requiredScopes, req, res, next) {
    assert(Array.isArray(requiredScopes));

    if (typeof req.query.access_token !== 'string') return next(new HttpError(401, 'Unauthorized'));

    accesscontrol.validateToken(req.query.access_token, function (error, user, info) {
        if (error) return next(new HttpError(500, error.message));
        if (!user) return next(new HttpError(401, 'Unauthorized'));

        req.user = user;

        var e = accesscontrol.hasScopes(info.authorizedScopes, requiredScopes);
        if (e) return next(new HttpError(403, e.message));

        next();
    });
}