// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package conan

import (
	"net/http"

	auth_model "forgejo.org/models/auth"
	user_model "forgejo.org/models/user"
	"forgejo.org/modules/log"
	"forgejo.org/modules/optional"
	"forgejo.org/services/auth"
	"forgejo.org/services/packages"
)

var (
	_ auth.Method               = &Auth{}
	_ auth.AuthenticationResult = &conanAuthenticationResult{}
)

type conanAuthenticationResult struct {
	*auth.BaseAuthenticationResult
	user  *user_model.User
	scope optional.Option[auth_model.AccessTokenScope]
}

func (r *conanAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
	return r.scope
}

func (r *conanAuthenticationResult) User() *user_model.User {
	return r.user
}

type Auth struct{}

func (a *Auth) Name() string {
	return "conan"
}

// Verify extracts the user from the Bearer token
func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
	uid, scope, err := packages.ParseAuthorizationToken(req)
	if err != nil {
		log.Trace("ParseAuthorizationToken: %v", err)
		return nil, err
	}

	if uid == 0 {
		return &auth.UnauthenticatedResult{}, nil
	}

	// Propagate scope of the authorization token.
	authScope := optional.None[auth_model.AccessTokenScope]()
	if scope != "" {
		authScope = optional.Some(scope)
	}

	u, err := user_model.GetUserByID(req.Context(), uid)
	if err != nil {
		log.Error("GetUserByID:  %v", err)
		return nil, err
	}

	return &conanAuthenticationResult{user: u, scope: authScope}, nil
}