/*
 * Copyright (C) 2008-2023, Juick
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

package com.juick.service.security;

import com.juick.service.UserService;
import com.juick.service.security.entities.JuickUser;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

import javax.annotation.Nonnull;
import java.io.IOException;
import java.security.KeyPair;
import java.util.Collections;
import java.util.stream.Collectors;

public class BearerTokenAuthenticationFilter extends BaseAuthenticationFilter {
    private static final Logger logger = LoggerFactory.getLogger("Auth");
    private final JwtParser jwtParser;
    private final UserService userService;

    public BearerTokenAuthenticationFilter(UserService userService, KeyPair keys) {
        this.userService = userService;
        this.jwtParser = Jwts.parserBuilder()
                .setSigningKey(keys.getPrivate())
                .build();
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain) throws ServletException, IOException {
        if (authenticationIsRequired()) {
            var headers = Collections.list(request.getHeaderNames())
                    .stream()
                    .collect(Collectors.toMap(String::toLowerCase, request::getHeader));
            var authorizationHeaderValue = headers.get("authorization");
            if (StringUtils.isNotEmpty(authorizationHeaderValue) && authorizationHeaderValue.startsWith("Bearer")) {
                String token = authorizationHeaderValue.substring(7);
                try {
                    var claims = jwtParser.parseClaimsJws(token).getBody();
                    var user = userService.getUserByName(claims.getSubject());
                    if (!user.isAnonymous()) {
                        Authentication authentication = new UsernamePasswordAuthenticationToken(
                                new JuickUser(user),
                                user.getCredentials(),
                                JuickUser.USER_AUTHORITY);
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                } catch (Exception e) {
                    logger.warn("Invalid Bearer token: {}", e.getMessage());
                }
            }
        }
        filterChain.doFilter(request, response);
    }
}