<?php
namespace Conmed\Authserver;

use Bitrix\Main\Config\Option;
use Bitrix\Main\Context;
use Bitrix\Main\Type\DateTime;
use Bitrix\Highloadblock\HighloadBlockTable;
use Bitrix\Main\Loader;

trait AuthTokenTrait {
    public static function authorizeAction() {
        global $USER; $req = Context::getCurrent()->getRequest();
        $cid = $req->get("client_id"); $uri = $req->get("redirect_uri");
        if(!self::checkClient($cid, false, $uri)) die("Access Denied");
        if(!$USER->IsAuthorized()) { LocalRedirect("/auth/?backurl=".urlencode(Context::getCurrent()->getServer()->getRequestUri())); die(); }
        
        $code = bin2hex(random_bytes(16));
        $dc = self::getHlEntity('sso_codes');
        $dc::add(['UF_CODE'=>$code, 'UF_CLIENT_ID'=>$cid, 'UF_USER_ID'=>$USER->GetID(), 'UF_EXPIRES'=>DateTime::createFromTimestamp(time()+60)]);
        
        $url = $uri . (strpos($uri, '?') === false ? '?' : '&') . 'code=' . $code . '&authservice=conmedauth';
        if($req->get("state")) $url .= '&state=' . urlencode($req->get("state"));
        LocalRedirect($url);
    }

    public static function tokenAction() {
        header('Content-Type: application/json');
        $req = Context::getCurrent()->getRequest(); $cid = $req->get("client_id");
        if(!self::checkClient($cid, $req->get("client_secret"))) { self::registerAttempt(); die(json_encode(['error'=>'forbidden'])); }
        $dc = self::getHlEntity('sso_codes');
        if($c = $dc::getList(['filter'=>['=UF_CODE'=>$req->get("code"),'=UF_CLIENT_ID'=>$cid,'>UF_EXPIRES'=>DateTime::createFromTimestamp(time())]])->fetch()) {
            $dc::delete($c['ID']);
            $acc = bin2hex(random_bytes(32)); $ref = bin2hex(random_bytes(32));
            $dt = self::getHlEntity('sso_tokens');
            $dt::add(['UF_TOKEN'=>$acc,'UF_REFRESH_TOKEN'=>$ref,'UF_USER_ID'=>$c['UF_USER_ID'],'UF_CLIENT_ID'=>$cid,'UF_EXPIRES'=>DateTime::createFromTimestamp(time()+3600),'UF_REFRESH_EXPIRES'=>DateTime::createFromTimestamp(time()+2592000)]);
            echo json_encode(['access_token'=>$acc, 'refresh_token'=>$ref]);
        } else { self::registerAttempt(); echo json_encode(['error'=>'invalid_code']); }
    }

    public static function refreshAction() {
        header('Content-Type: application/json');
        $req = Context::getCurrent()->getRequest(); $cid = $req->get("client_id");
        if(!self::checkClient($cid, $req->get("client_secret"))) die(json_encode(['error'=>'forbidden']));
        $dt = self::getHlEntity('sso_tokens');
        if($t = $dt::getList(['filter'=>['=UF_REFRESH_TOKEN'=>$req->get("refresh_token"),'=UF_CLIENT_ID'=>$cid,'>UF_REFRESH_EXPIRES'=>DateTime::createFromTimestamp(time())]])->fetch()) {
            $acc = bin2hex(random_bytes(32)); $ref = bin2hex(random_bytes(32));
            $dt::update($t['ID'], ['UF_TOKEN'=>$acc, 'UF_REFRESH_TOKEN'=>$ref, 'UF_EXPIRES'=>DateTime::createFromTimestamp(time()+3600)]);
            echo json_encode(['access_token'=>$acc, 'refresh_token'=>$ref]);
        } else echo json_encode(['error'=>'invalid_refresh']);
    }

    private static function getUidByToken($token) {
        if(!$token) return false;
        $dt = self::getHlEntity('sso_tokens');
        $t = $dt::getList(['filter'=>['=UF_TOKEN'=>$token, '>UF_EXPIRES'=>DateTime::createFromTimestamp(time())]])->fetch();
        return $t ? $t['UF_USER_ID'] : false;
    }
}