<?php

namespace NoccyLabs\Mercureact\Http\Middleware;

use NoccyLabs\Mercureact\Configuration;
use NoccyLabs\Mercureact\Http\Exeption\SecurityException;
use NoccyLabs\SimpleJWT\JWTToken;
use NoccyLabs\SimpleJWT\Key\JWTPlaintextKey;
use Psr\Http\Message\ServerRequestInterface;
use React\Promise\Promise;
use React\Promise\PromiseInterface;

class SecurityMiddleware
{

    public function __construct(
        private Configuration $config
    )
    {
        
    }

    /**
     * 
     * 
     * @param ServerRequestInterface $request
     * @param callable $next
     * @return PromiseInterface
     */
    public function __invoke(ServerRequestInterface $request, callable $next): PromiseInterface
    {
        return new Promise(
            function (callable $resolve, callable $reject) use ($request, $next) {
                // Check JWT in authorization header or authorization query param
                $request = $this->checkAuthorization($request);

                $resolve($next($request));
            }
        );
    }

    /**
     * 
     * 
     * @param ServerRequestInterface $request
     * @return ServerRequestInterface
     */
    private function checkAuthorization(ServerRequestInterface $request): ServerRequestInterface
    {
        $authorization = $request->getHeaderLine('authorization');
        if (str_starts_with(strtolower($authorization), "bearer ")) {
            $jwt = substr($authorization, strpos($authorization, " ")+1);
            $key = new JWTPlaintextKey($this->config->getJwtSecret());
            $tok = new JWTToken($key, $jwt);
            if (!$tok->isValid()) {
                throw new SecurityException(message:"Invalid token", code:SecurityException::ERR_ACCESS_DENIED);
            }
            $mercureClaims = $tok->claims->get('mercure');
            return $request
                ->withAttribute('authorization', $tok);
        } else {
            return $request
                ->withAttribute('authorization', null);

        }
    }

}