# frozen_string_literal: true

class UserApiKeysController < ApplicationController
  layout "no_ember"

  requires_login only: %i[create create_otp revoke undo_revoke]
  skip_before_action :redirect_to_login_if_required,
                     :redirect_to_profile_if_required,
                     only: %i[new otp]
  skip_before_action :check_xhr, :preload_json

  AUTH_API_VERSION = 4

  def new
    if request.head?
      head :ok, auth_api_version: AUTH_API_VERSION
      return
    end

    find_client
    require_params
    validate_params

    unless current_user
      cookies[:destination_url] = request.fullpath

      if SiteSetting.enable_discourse_connect?
        redirect_to path("/session/sso")
      else
        redirect_to path("/login")
      end
      return
    end

    unless meets_tl?
      @no_trust_level = true
      return
    end

    @application_name = params[:application_name] || @client&.application_name
    @public_key = params[:public_key] || @client&.public_key
    @nonce = params[:nonce]
    @client_id = params[:client_id]
    @auth_redirect = params[:auth_redirect]
    @push_url = params[:push_url]
    @localized_scopes = params[:scopes].split(",").map { |s| I18n.t("user_api_key.scopes.#{s}") }
    @scopes = params[:scopes]
  rescue Discourse::InvalidAccess
    @generic_error = true
  end

  def create
    find_client
    require_params

    if params.key?(:auth_redirect)
      if UserApiKeyClient.invalid_auth_redirect?(params[:auth_redirect], client: @client)
        raise Discourse::InvalidAccess
      end
    end

    raise Discourse::InvalidAccess unless meets_tl?

    validate_params
    scopes = params[:scopes].split(",")

    @client = UserApiKeyClient.new(client_id: params[:client_id]) if @client.blank?
    @client.application_name = params[:application_name] if params[:application_name].present?
    @client.public_key = params[:public_key] if params[:public_key].present?
    @client.save! if @client.new_record? || @client.changed?

    # destroy any old keys the user had with the client
    @client.keys.where(user_id: current_user.id).destroy_all

    key =
      @client.keys.create!(
        user_id: current_user.id,
        push_url: params[:push_url],
        scopes: scopes.map { |name| UserApiKeyScope.new(name: name) },
      )

    # we keep the payload short so it encrypts easily with public key
    # it is often restricted to 128 chars
    @payload = {
      key: key.key,
      nonce: params[:nonce],
      push: key.has_push?,
      api: AUTH_API_VERSION,
    }.to_json

    public_key = OpenSSL::PKey::RSA.new(@client.public_key)
    @payload = Base64.encode64(public_key.public_encrypt(@payload))

    if scopes.include?("one_time_password")
      # encrypt one_time_password separately to bypass 128 chars encryption limit
      otp_payload = one_time_password(public_key, current_user.username)
    end

    if params[:auth_redirect]
      uri = URI.parse(params[:auth_redirect])
      query_attributes = [uri.query, "payload=#{CGI.escape(@payload)}"]
      if scopes.include?("one_time_password")
        query_attributes << "oneTimePassword=#{CGI.escape(otp_payload)}"
      end
      uri.query = query_attributes.compact.join("&")

      redirect_to(uri.to_s, allow_other_host: true)
    else
      respond_to do |format|
        format.html { render :show }
        format.json do
          instructions =
            I18n.t("user_api_key.instructions", application_name: @client.application_name)
          render json: { payload: @payload, instructions: instructions }
        end
      end
    end
  end

  def otp
    require_params_otp

    unless current_user
      cookies[:destination_url] = request.fullpath

      if SiteSetting.enable_discourse_connect?
        redirect_to path("/session/sso")
      else
        redirect_to path("/login")
      end
      return
    end

    @application_name = params[:application_name]
    @public_key = params[:public_key]
    @auth_redirect = params[:auth_redirect]
  end

  def create_otp
    require_params_otp

    if UserApiKeyClient.invalid_auth_redirect?(params[:auth_redirect])
      raise Discourse::InvalidAccess
    end
    raise Discourse::InvalidAccess unless meets_tl?

    public_key = OpenSSL::PKey::RSA.new(params[:public_key])
    otp_payload = one_time_password(public_key, current_user.username)

    redirect_path = "#{params[:auth_redirect]}?oneTimePassword=#{CGI.escape(otp_payload)}"
    redirect_to(redirect_path, allow_other_host: true)
  end

  def revoke
    revoke_key = find_key if params[:id]

    if current_key = request.env["HTTP_USER_API_KEY"]
      request_key = UserApiKey.with_key(current_key).first
      revoke_key ||= request_key
    end

    raise Discourse::NotFound unless revoke_key

    revoke_key.update_columns(revoked_at: Time.zone.now)

    render json: success_json
  end

  def undo_revoke
    find_key.update_columns(revoked_at: nil)
    render json: success_json
  end

  def find_key
    key = UserApiKey.find(params[:id])
    raise Discourse::InvalidAccess unless current_user.admin || key.user_id == current_user.id
    key
  end

  def find_client
    @client = UserApiKeyClient.find_by(client_id: params[:client_id])
  end

  def require_params
    %i[nonce scopes client_id].each { |p| params.require(p) }
    params.require(:public_key) if @client&.public_key.blank?
    params.require(:application_name) if @client&.application_name.blank?
  end

  def validate_params
    requested_scopes = Set.new(params[:scopes].split(","))
    raise Discourse::InvalidAccess unless UserApiKey.allowed_scopes.superset?(requested_scopes)

    # our pk has got to parse
    OpenSSL::PKey::RSA.new(params[:public_key]) if params[:public_key]
  end

  def require_params_otp
    %i[public_key auth_redirect application_name].each { |p| params.require(p) }
  end

  def meets_tl?
    current_user.staff? || current_user.in_any_groups?(SiteSetting.user_api_key_allowed_groups_map)
  end

  def one_time_password(public_key, username)
    unless UserApiKey.allowed_scopes.superset?(Set.new(["one_time_password"]))
      raise Discourse::InvalidAccess
    end

    otp = SecureRandom.hex
    Discourse.redis.setex "otp_#{otp}", 10.minutes, username

    Base64.encode64(public_key.public_encrypt(otp))
  end
end