<?php
/**
 * FuzeWorks Authentication Plugin.
 *
 * The FuzeWorks PHP FrameWork
 *
 * Copyright (C) 2013 - 2023 i15
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 *
 * @author    i15
 * @copyright Copyright (C) 2013 - 2023, i15. (https://i15.nl)
 * @license   https://opensource.org/licenses/MIT MIT License
 *
 * @since Version 1.3.0
 *
 * @version Version 1.3.0
 */

namespace Application\Controller;
use FuzeWorks\Authentication\Events\LoginEvent;
use FuzeWorks\Authentication\Events\RegisterEvent;
use FuzeWorks\Authentication\Exceptions\AuthenticationException;
use FuzeWorks\Authentication\Exceptions\InputException;
use FuzeWorks\Authentication\Exceptions\LoginErrorException;
use FuzeWorks\Authentication\Exceptions\LoginWarningException;
use FuzeWorks\Authentication\Exceptions\RegisterErrorException;
use FuzeWorks\Authentication\Exceptions\RegisterWarningException;
use FuzeWorks\Authentication\Model\Session;
use FuzeWorks\Authentication\Model\User;
use FuzeWorks\ConfigORM\ConfigORM;
use FuzeWorks\Controller;
use FuzeWorks\Authentication\AuthenticationPlugin;
use FuzeWorks\Events;
use FuzeWorks\Exception\FactoryException;
use FuzeWorks\Exception\LayoutException;
use FuzeWorks\Factory;
use FuzeWorks\Forms\Form;
use FuzeWorks\Layout;
use FuzeWorks\Logger;
use FuzeWorks\Mailer\PHPMailerWrapper;
use FuzeWorks\ObjectStorage\ObjectStorageComponent;
use PHPMailer\PHPMailer\Exception;
use Psr\SimpleCache\CacheInterface;

class AuthenticationController extends Controller
{

    protected AuthenticationPlugin $plugin;
    public Session $session;
    public ConfigORM $authConfig;

    public function __construct()
    {
        parent::__construct();
        $this->plugin = $this->plugins->get('auth');
        $this->session = $this->plugin->sessions->start();
        $this->authConfig = $this->plugin->config;
    }

    /**
     * Attempt a login using a designated identifier and password.
     *
     * Sessions are automatically extended as they approach their end. Sessions with remember = false will last an hour.
     * Sessions with remember = true will last 3 months.
     *
     * Context data will be saved into the database for security purposes.
     *
     * Login may be prevented by the following causes:
     * - Username and password mismatch, or password is not set.
     * - The user is already currently logged in the current session.
     * - The user doesn't exist.
     * - User is set to inactive.
     * - Email verification threshold has expired and the user must verify before being allowed to log in.
     * - The event system cancels login for other reasons.
     *
     * @param string $identifier
     * @param string $password
     * @param bool $remember
     * @param array $context
     * @return Session
     * @throws LoginErrorException
     * @throws LoginWarningException
     */
    public function login(string $identifier, string $password, bool $remember = false, array $context = []): Session
    {
        /** @var LoginEvent $event */
        $event = Events::fireEvent(new LoginEvent($identifier, $password, $remember, $context));
        if ($event->isCancelled())
            throw new LoginErrorException("Login cancelled by system.");

        // Fetch the user
        $user = $this->plugin->users->getUserByEmail($event->identifier);
        foreach ($event->getIdentifierFields() as $field)
        {
            if (empty($user))
                $user = $this->plugin->users->getUsersByProperty($field, $event->identifier);
        }

        // If user not found, notify
        if (empty($user))
            throw new LoginWarningException("The provided username and/or password is invalid.");

        // Verify that the current session is not the same as the supposed login session
        if ($this->session->user->id === $user->id)
            throw new LoginWarningException("User is already logged in.");

        // Check if the password is correct
        if (!password_verify($event->password, $user->password))
            throw new LoginWarningException("The provided username and/or password is invalid.");

        // Check if the password needs to be updated
        if (password_needs_rehash($user->password,
            $this->plugin->config->get("password_algorithm"),
            $this->plugin->config->get("password_options")))
        {
            $this->plugin->users->changePassword($user, $event->password);
        }

        // Check if the user is still active
        if (!$user->active)
            throw new LoginErrorException("User is inactive. Login blocked.");

        // Check if email has been verified on time
        if (!is_null($user->emailVerifyToken) && date('U') > $user->emailVerifyExpiry)
        {
            $url = $this->plugin->getAuthenticationURL() . "/resend_verify_email?t=" . base64_encode($user->primaryEmail);
            throw new LoginWarningException("User must verify email before logging in. Click <a href='$url'>here</a> to resend the verification email.");
        }

        // Create a session, log and return it
        $this->session = $this->plugin->sessions->createSession($user, $event->context, $event->remember);
        Logger::log("Logged in user '" . $user->primaryEmail . "'");
        return $this->session;
    }

    /**
     * Log a user out of the current session.
     *
     * Will set the session active to false and remove the session cookie.
     *
     * @return bool
     */
    public function logout(): bool
    {
        if ($this->session->user->id == "0")
            return false;

        return $this->plugin->sessions->endSession($this->session);
    }

    /**
     * Performs a registration of a new user using the provided data.
     *
     * The only absolutely required parameter is email. No user can exist without a valid email address.
     *
     * If password is null (for instance by creating the user from a panel instead of registration), the user shall be asked to set a password after verifying their email.
     *
     * Parameters should be an empty array, unless the developer wants to explicitly set internal values like emailExpiryTime.
     *
     * Properties can be any extra key => value data the developer wants to store about their users, such as usernames or social data.
     *
     * Use $bypassRestrictions in case registration is disabled by config, but a new user must be added anyway.
     *
     * Registration can be denied for the following reasons:
     * - Registration is disabled by config and $bypassRestrictions is not set to true.
     * - User already exists.
     * - The event system cancels registration of another reason.
     *
     * @param string $email
     * @param string|null $password
     * @param array $parameters
     * @param array $properties
     * @param bool $bypassRestrictions
     * @return bool
     * @throws RegisterErrorException
     * @throws RegisterWarningException
     */
    public function register(string $email, ?string $password, array $parameters, array $properties, bool $bypassRestrictions = false): bool
    {
        // First check if registration is enabled
        if (!$this->authConfig->get("register_enabled") && !$bypassRestrictions)
            throw new RegisterErrorException("Registration is disabled.");

        /** @var RegisterEvent $event */
        $event = Events::fireEvent(new RegisterEvent($email, $password, $parameters, $properties));
        if ($event->isCancelled())
        {
            $error = is_null($event->getError()) ? "Register cancelled by system." : $event->getError();
            throw new RegisterErrorException($error);
        }

        // Create the user
        try {
            if (!$this->plugin->users->addUser($event->email, $event->password, true, $event->properties))
                throw new RegisterErrorException("Could not create user. System error.");

            // Fetch the user
            $user = $this->plugin->users->getUserByEmail($event->email);
            $this->sendVerifyEmail($user);
        } catch (InputException|AuthenticationException $e) {
            throw new RegisterErrorException($e->getMessage());
        } catch (Exception $e) {
            throw new RegisterErrorException("Could not add user. Failed to send mail to user: " . $e->getMessage());
        } catch (FactoryException|LayoutException $e) {
            throw new RegisterErrorException("Could not add user. System failure.");
        }

        return true;
    }

    /**
     * Sends a new email verification message to the user, in case the existing message is lost or expired.
     *
     * @param string $email
     * @return bool
     * @throws LoginErrorException
     * @throws RegisterErrorException
     */
    public function resendVerifyEmail(string $email): bool
    {
        $user = $this->plugin->users->getUserByEmail($email);
        if (is_null($user))
            throw new LoginErrorException("User not found.");

        try {
            $this->sendVerifyEmail($user);
        } catch (FactoryException|LayoutException $e) {
            throw new LoginErrorException("Could not resend verify email. System failure.");
        } catch (Exception $e) {
            throw new RegisterErrorException("Could not resend verify email. Failed to send mail to user: " . $e->getMessage());
        }

        return true;
    }

    /**
     * Sends a email verification message to the user.
     *
     * @param User $user
     * @return void
     */
    private function sendVerifyEmail(User $user): void
    {
        // Load template engine
        /** @var Layout $layout */
        $layout = Factory::getInstance("layouts");
        $layout->assign("user", $user);
        $layout->assign("verifyURL", $this->plugin->getAuthenticationURL() . "/verify");

        $html = $layout->get("mail/register");
        $alt = $layout->get("mail/register_alt");

        // Prepare mailer
        /** @var PHPMailerWrapper $mailer */
        $mailer = $this->libraries->get("mailer");
        $mailer->addAddress($user->primaryEmail);
        $serverName = $this->config->getConfig("web")->get("serverName");
        $mailer->Subject = "Welcome to $serverName !";
        $mailer->isHTML();
        $mailer->Body = $html;
        $mailer->AltBody = $alt;

        // And send mail
        $mailer->send();
    }

    /**
     * Verifies a user by their email token.
     *
     * @param string $token
     * @return User|null
     */
    public function verifyEmail(string $token): ?User
    {
        // Fetch user
        $users = $this->plugin->users->getUsersByVariable("emailVerifyToken", $token);
        if (count($users) === 1)
        {
            // Select user
            /** @var User $user */
            $user = $users[0];
            $user->emailVerifyToken = null;
            $user->emailVerifyExpiry = null;

            // Update the user
            $this->plugin->users->updateUser($user);

            // And return true
            return $user;
        }

        return null;
    }

    /**
     * Sends a forgot password email to the user, based on the email address of the user.
     *
     * Will be denied if:
     * - Password resets are disabled by config.
     * - The user doesn't exist.
     * - The user is marked as inactive.
     *
     * @param string $email
     * @return bool
     * @throws FactoryException
     * @throws LoginErrorException
     * @throws LoginWarningException
     */
    public function forgotPassword(string $email): bool
    {
        // Check if forgot password is enabled
        if (!$this->authConfig->get("forgot_password_enabled"))
            throw new LoginErrorException("Forgot password is disabled.");

        // Fetch the user
        $user = $this->plugin->users->getUserByEmail($email);

        // If user not found, notify
        if (empty($user))
            throw new LoginWarningException("The provided email is unknown.");

        // Check if the user is still active
        if (!$user->active)
            throw new LoginErrorException("The provided email is unknown");

        // Generate reset token
        $token = bin2hex(random_bytes(32));

        // Save the token and user ID to ObjectStorage
        /** @var CacheInterface $cache */
        $cache = Factory::getInstance("storage")->getCache();
        $cache->set("forgot_password_" . $token, $user->id, 3600);

        // And send mail
        try {
            // Data is verified. Now send the email.
            /** @var Layout $layout */
            $layout = Factory::getInstance("layouts");
            $layout->assign("resetURL", $this->plugin->getAuthenticationURL() . "/reset_password");
            $layout->assign("token", $token);
            $html = $layout->get("mail/forgot_password");
            $alt = $layout->get("mail/forgot_password_alt");

            // Prepare mailer
            /** @var PHPMailerWrapper $mailer */
            $mailer = $this->libraries->get("mailer");
            $mailer->addAddress($email);
            $mailer->Subject = "Password reset";
            $mailer->isHTML();
            $mailer->Body = $html;
            $mailer->AltBody = $alt;

            $mailer->send();
        } catch (Exception $e) {
            throw new LoginErrorException("Could not send mail to user: " . $e->getMessage());
        } catch (FactoryException|LayoutException $e) {
            throw new LoginErrorException("Could not send mail to user. System failure.");
        }

        return true;
    }

    /**
     * Method used by AdminView to generate a token to reset password with, after verifying email.
     *
     * @internal
     * @param User $user
     * @return string
     */
    public function createResetToken(User $user): string
    {
        // Generate reset token
        $token = bin2hex(random_bytes(32));

        // Save the token and user ID to ObjectStorage
        /** @var CacheInterface $cache */
        $cache = Factory::getInstance("storage")->getCache();
        $cache->set("forgot_password_" . $token, $user->id, 3600);

        return $token;
    }

    /**
     * Reset the password of the user with the selected token
     *
     * @param string $token
     * @param string $password
     * @return bool
     * @throws LoginErrorException
     */
    public function resetPassword(string $token, string $password): bool
    {
        // Check token in cache
        /** @var CacheInterface $cache */
        $cache = Factory::getInstance("storage")->getCache();
        if (!$cache->has("forgot_password_" . $token))
            throw new LoginErrorException("User was not found.");

        // Fetch user
        $user = $this->plugin->users->getUserByUid($cache->get("forgot_password_" . $token));

        // Modify the user
        try {
            if ($this->plugin->users->changePassword($user, $password))
                $cache->delete("forgot_password_" . $token);

            return true;
        } catch (InputException $e) {
            throw new LoginErrorException($e->getMessage());
        }
    }

    /**
     * Returns an array of detailed user information.
     *
     * Returns ['user' => User, 'sessions' => Session[]] , or null if not found.
     *
     * @param string $userId
     * @return array|null
     */
    public function getDetailedUserInformation(string $userId): ?array
    {
        $user = $this->plugin->users->getUserByUid($userId);
        if (is_null($user))
            return null;

        $sessions = $this->plugin->sessions->getSessions(['user' => $userId]);
        return ['user' => $user, 'sessions' => $sessions];
    }

    /**
     * Gives a list of users that match the filter.
     *
     * @param array $filter
     * @param int $index
     * @param int $limit
     * @return array
     */
    public function listUsers(array $filter = [], int $index = 0, int $limit = 25): array
    {
        return $this->plugin->users->getUsers($index, $limit);
    }

    /**
     * Condition callable for register form, to check if password 1 and 2 are equivalent.
     *
     * @internal
     * @param Form $form
     * @return bool
     */
    public static function registerFormCondition(Form $form): bool
    {
        // Verify password1 and password2 equivalency
        $pass1 = $form->getField("password1");
        $pass2 = $form->getField("password2");
        if ($pass1->getValue() !== $pass2->getValue())
        {
            $pass1->invalidate();
            $pass2->invalidate();
            $pass1->addError("Passwords do not match");
            $pass2->addError("Passwords do not match");
            return false;
        }

        return true;
    }

}