import * as Koa from 'koa';
import * as bcrypt from 'bcryptjs';
import * as speakeasy from 'speakeasy';
import signin from '../common/signin';
import config from '@/config/index';
import { Users, Signins, UserProfiles, UserSecurityKeys, AttestationChallenges } from '@/models/index';
import { ILocalUser } from '@/models/entities/user';
import { genId } from '@/misc/gen-id';
import { verifyLogin, hash } from '../2fa';
import { randomBytes } from 'crypto';

export default async (ctx: Koa.Context) => {
	ctx.set('Access-Control-Allow-Origin', config.url);
	ctx.set('Access-Control-Allow-Credentials', 'true');

	const body = ctx.request.body as any;
	const username = body['username'];
	const password = body['password'];
	const token = body['token'];

	function error(status: number, error: { id: string }) {
		ctx.status = status;
		ctx.body = { error };
	}

	if (typeof username != 'string') {
		ctx.status = 400;
		return;
	}

	if (typeof password != 'string') {
		ctx.status = 400;
		return;
	}

	if (token != null && typeof token != 'string') {
		ctx.status = 400;
		return;
	}

	// Fetch user
	const user = await Users.findOne({
		usernameLower: username.toLowerCase(),
		host: null,
	}) as ILocalUser;

	if (user == null) {
		error(404, {
			id: '6cc579cc-885d-43d8-95c2-b8c7fc963280',
		});
		return;
	}

	if (user.isSuspended) {
		error(403, {
			id: 'e03a5f46-d309-4865-9b69-56282d94e1eb',
		});
		return;
	}

	const profile = await UserProfiles.findOneOrFail(user.id);

	// Compare password
	const same = await bcrypt.compare(password, profile.password!);

	async function fail(status?: number, failure?: { id: string }) {
		// Append signin history
		await Signins.insert({
			id: genId(),
			createdAt: new Date(),
			userId: user.id,
			ip: ctx.ip,
			headers: ctx.headers,
			success: false,
		});

		error(status || 500, failure || { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
	}

	if (!profile.twoFactorEnabled) {
		if (same) {
			signin(ctx, user);
			return;
		} else {
			await fail(403, {
				id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
			});
			return;
		}
	}

	if (token) {
		if (!same) {
			await fail(403, {
				id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
			});
			return;
		}

		const verified = (speakeasy as any).totp.verify({
			secret: profile.twoFactorSecret,
			encoding: 'base32',
			token: token,
			window: 2,
		});

		if (verified) {
			signin(ctx, user);
			return;
		} else {
			await fail(403, {
				id: 'cdf1235b-ac71-46d4-a3a6-84ccce48df6f',
			});
			return;
		}
	} else if (body.credentialId) {
		if (!same && !profile.usePasswordLessLogin) {
			await fail(403, {
				id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
			});
			return;
		}

		const clientDataJSON = Buffer.from(body.clientDataJSON, 'hex');
		const clientData = JSON.parse(clientDataJSON.toString('utf-8'));
		const challenge = await AttestationChallenges.findOne({
			userId: user.id,
			id: body.challengeId,
			registrationChallenge: false,
			challenge: hash(clientData.challenge).toString('hex'),
		});

		if (!challenge) {
			await fail(403, {
				id: '2715a88a-2125-4013-932f-aa6fe72792da',
			});
			return;
		}

		await AttestationChallenges.delete({
			userId: user.id,
			id: body.challengeId,
		});

		if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * 60 * 1000) {
			await fail(403, {
				id: '2715a88a-2125-4013-932f-aa6fe72792da',
			});
			return;
		}

		const securityKey = await UserSecurityKeys.findOne({
			id: Buffer.from(
				body.credentialId
					.replace(/-/g, '+')
					.replace(/_/g, '/'),
					'base64'
			).toString('hex'),
		});

		if (!securityKey) {
			await fail(403, {
				id: '66269679-aeaf-4474-862b-eb761197e046',
			});
			return;
		}

		const isValid = verifyLogin({
			publicKey: Buffer.from(securityKey.publicKey, 'hex'),
			authenticatorData: Buffer.from(body.authenticatorData, 'hex'),
			clientDataJSON,
			clientData,
			signature: Buffer.from(body.signature, 'hex'),
			challenge: challenge.challenge,
		});

		if (isValid) {
			signin(ctx, user);
			return;
		} else {
			await fail(403, {
				id: '93b86c4b-72f9-40eb-9815-798928603d1e',
			});
			return;
		}
	} else {
		if (!same && !profile.usePasswordLessLogin) {
			await fail(403, {
				id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
			});
			return;
		}

		const keys = await UserSecurityKeys.find({
			userId: user.id,
		});

		if (keys.length === 0) {
			await fail(403, {
				id: 'f27fd449-9af4-4841-9249-1f989b9fa4a4',
			});
			return;
		}

		// 32 byte challenge
		const challenge = randomBytes(32).toString('base64')
			.replace(/=/g, '')
			.replace(/\+/g, '-')
			.replace(/\//g, '_');

		const challengeId = genId();

		await AttestationChallenges.insert({
			userId: user.id,
			id: challengeId,
			challenge: hash(Buffer.from(challenge, 'utf-8')).toString('hex'),
			createdAt: new Date(),
			registrationChallenge: false,
		});

		ctx.body = {
			challenge,
			challengeId,
			securityKeys: keys.map(key => ({
				id: key.id,
			})),
		};
		ctx.status = 200;
		return;
	}
	// never get here
};