<?php
namespace Incoviba\Middleware;

use Psr\Http\Message\ResponseFactoryInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Psr\Log\LoggerInterface;
use Incoviba\Exception\MissingAuthorizationHeader;
use Incoviba\Service;

class API
{
    public function __construct(protected ResponseFactoryInterface $responseFactory,
                                protected LoggerInterface $logger,
                                protected Service\API $apiService,
                                protected Service\Login $loginService,
                                protected string $key,
                                protected array $permittedPaths,
                                protected array $simplePaths,
                                protected array $externalPaths) {}

    public function __invoke(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        if ($this->validExternal($request)) {
            return $handler->handle($request);
        }
        try {
            $key = $this->apiService->getKey($request);
        } catch (MissingAuthorizationHeader $exception) {
            return $this->responseFactory->createResponse(401);
        }
        if ($this->validateSimpleKey($request, $key)) {
            return $handler->handle($request);
        }
        if ($this->validate($request, $key)) {
            return $handler->handle($request);
        }
        return $this->responseFactory->createResponse(403);
    }
    protected function validate(ServerRequestInterface $request, $incoming_key): bool
    {
        $selector = null;
        $token = null;
        if (str_contains($incoming_key, $this->loginService->getSeparator())) {
            list($incoming_key, $selector, $token) = explode($this->loginService->getSeparator(), $incoming_key, 3);
            if (!$this->loginService->isIn($selector, $token)) {
                return false;
            }
        }
        if (!$this->loginService->isIn($selector, $token) and !$this->validPermitted($request)) {
            return false;
        }
        return $incoming_key === md5($this->key);
    }
    protected function validateSimpleKey(ServerRequestInterface $request, $incoming_key): bool
    {
        return $incoming_key === md5($this->key) and $this->noComplexKeyNeeded($request);
    }
    protected function noComplexKeyNeeded(ServerRequestInterface $request): bool
    {
        $uri = $request->getUri();
        return in_array($uri->getPath(), $this->simplePaths);
    }
    protected function validPermitted(ServerRequestInterface $request): bool
    {
        $uri = $request->getUri();
        return in_array($uri->getPath(), $this->permittedPaths);
    }
    protected function validExternal(ServerRequestInterface $request): bool
    {
        $uri = $request->getUri();
        foreach ($this->externalPaths as $basePath => $paths) {
            if (!str_starts_with($uri->getPath(), $basePath)) {
                continue;
            }
            foreach ($paths as $subPath) {
                $fullPath = "{$basePath}{$subPath}";
                if ($uri->getPath() === $fullPath) {
                    return $this->validateExternalKey($request, $basePath, $subPath);
                }
            }
        }
        return false;
    }
    protected function validateExternalKey(ServerRequestInterface $request, $basePath, $subPath): bool
    {
        if ($request->hasHeader('x-api-key')) {
            $key = $request->getHeaderLine('x-api-key');
            if ($key === $this->externalPaths[$basePath][$subPath]) {
                return true;
            }
        }
        if ($request->hasHeader('Authorization')) {
            $key = $request->getHeaderLine('Authorization');
            if (str_starts_with($key, 'Bearer ')) {
                $key = substr($key, 7);
                if ($key === $this->externalPaths[$basePath][$subPath]) {
                    return true;
                }
            }
        }
        return false;
    }
}