'use strict';

exports = module.exports = {
    ROLE_ADMIN: 'admin',
    ROLE_USER: 'user',

    verifyToken: verifyToken,
    hasRole: hasRole
};

var assert = require('assert'),
    BoxError = require('./boxerror.js'),
    tokendb = require('./tokendb.js'),
    users = require('./users.js');

function hasRole(user, requiredRole) {
    assert.strictEqual(typeof user, 'object');
    assert.strictEqual(typeof requiredRole, 'string');

    if (requiredRole === exports.ROLE_USER) return null;
    if (requiredRole === exports.ROLE_ADMIN && user.admin) return null;

    return new BoxError(BoxError.ACCESS_DENIED, 'Not allowed');
}

function verifyToken(accessToken, callback) {
    assert.strictEqual(typeof accessToken, 'string');
    assert.strictEqual(typeof callback, 'function');

    tokendb.getByAccessToken(accessToken, function (error, token) {
        if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
        if (error) return callback(error);

        users.get(token.identifier, function (error, user) {
            if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
            if (error) return callback(error);

            if (!user.active) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));

            callback(null, user);
        });
    });
}