'use strict';

module.exports.create = function (cli, engine/*, dnsd*/) {
  var subparts = (cli.subject || '').split('@');
  /*
  {
    "kty": "EC",
    "use": "sig",
    "crv": "P-256",
    "x": "ogbK2nP6SiEIIp4w8oXBn3dcs6kljFfTbgZYG591tUU",
    "y": "sB0AekMYwpvbQfAoW-2LlEWdapNhxynfj1zBtWpE9lo",
    "alg": "ES256"
  }
  */
  var jwt;
  var jwk;
  var privpem;
  var pubpem;
  if (!subparts[1]) {
    subparts = [ 'root', 'localhost' ];
    // TODO generate new random key and store it
    jwk = {
      //"kid": "thumbnail(pubkey)",
      "kty": "EC",
      "d": "GRIT-yJVlhAsgIChbNanxv41iCxbZszbHHgK8kbZovs",
      "use": "sig",
      "crv": "P-256",
      "x": "ogbK2nP6SiEIIp4w8oXBn3dcs6kljFfTbgZYG591tUU",
      "y": "sB0AekMYwpvbQfAoW-2LlEWdapNhxynfj1zBtWpE9lo",
      "alg": "ES256"
    };
    jwt = require('jsonwebtoken');
    privpem = require('jwk-to-pem')(jwk, { private: true });
    pubpem = require('jwk-to-pem')(jwk, { private: false });
    console.log(privpem);
    console.log("================================");
    console.log(" JWT Write Authorization Token: ");
    console.log("================================");
    console.log(jwt.sign(
      { sub: subparts[0]
      , iss: subparts[1]
      , aud: 'localhost'
      , scp: '+rw@adns.org'
      }
    , privpem
    , { notBefore: 0 // from now
      , expiresIn: '2h'
      , algorithm: 'ES256'
      }
    ));
    // expressed as "from now"
    /*
    { NotBeforeError: jwt not active
        at Object.module.exports [as verify] (digd.js/node_modules/jsonwebtoken/verify.js:117:19)
        at digd.js/lib/httpd.js:112:15
        at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5)
        at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13)
        at digd.js/node_modules/express/lib/router/index.js:284:7
        at Function.process_params (digd.js/node_modules/express/lib/router/index.js:335:12)
        at next (digd.js/node_modules/express/lib/router/index.js:275:10)
        at expressInit (digd.js/node_modules/express/lib/middleware/init.js:40:5)
        at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5)
        at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13)
      name: 'NotBeforeError',
      message: 'jwt not active',
      date: +050046-12-28T01:12:58.000Z }
    */
    console.log("===============================");
    console.log(" JWT Read Authorization Token: ");
    console.log("===============================");
    console.log(jwt.sign(
      { sub: subparts[0]
      , iss: subparts[1]
      , aud: 'localhost'
      , scp: '+r@adns.org'
      }
    , privpem
    , { notBefore: 0 // from now
      , algorithm: 'ES256'
      }
    ));
    console.log("==========================");
  }

  function runHttp() {
    var path = require('path');
    var express = require('express');
    var app = express();
    var httpServer = require('http').createServer(app);

    app.use('/api', function (req, res, next) {
      var auth = (req.headers.authorization || req.query.token || '').split(/\s+/)[1];
      var token;

      if (!auth) {
        res.statusCode = 403;
        res.send({ error: { message: "need authorization" } });
        return;
      }

      jwt = jwt || require('jsonwebtoken');
      try {
        token = jwt.decode(auth);
      } catch (e) {
        token = null;
      }

      if (!token || !token.iss) {
        res.statusCode = 403;
        res.send({ error: { message: "need jwt-format authorization" } });
        return;
      }

      if (subparts[0] === token.sub && subparts[1] === token.iss) {
        try {
          /*
          // { algorithm: 'ES256' }
          { JsonWebTokenError: invalid algorithm
              at Object.module.exports [as verify] (digd.js/node_modules/jsonwebtoken/verify.js:90:17)
              at digd.js/lib/httpd.js:82:15
              at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5)
              at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13)
              at digd.js/node_modules/express/lib/router/index.js:284:7
              at Function.process_params (digd.js/node_modules/express/lib/router/index.js:335:12)
              at next (digd.js/node_modules/express/lib/router/index.js:275:10)
              at expressInit (digd.js/node_modules/express/lib/middleware/init.js:40:5)
              at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5)
              at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13) name: 'JsonWebTokenError', message: 'invalid algorithm' }
          */
          // could be that it's private but expecting public, or public but expecting private
          /*
          Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
              at Verify.verify (crypto.js:381:23)
              at verify (digd.js/node_modules/jwa/index.js:68:21)
              at Object.verify (digd.js/node_modules/jwa/index.js:85:18)
              at Object.jwsVerify [as verify] (digd.js/node_modules/jws/lib/verify-stream.js:54:15)
              at Object.module.exports [as verify] (digd.js/node_modules/jsonwebtoken/verify.js:96:17)
              at digd.js/lib/httpd.js:82:15
              at Layer.handle [as handle_request] (digd.js/node_modules/express/lib/router/layer.js:95:5)
              at trim_prefix (digd.js/node_modules/express/lib/router/index.js:317:13)
              at digd.js/node_modules/express/lib/router/index.js:284:7
              at Function.process_params (digd.js/node_modules/express/lib/router/index.js:335:12)
          */
          jwt.verify(auth, pubpem, { algorithms: [ 'ES256' ] });
        } catch(e) {
          res.statusCode = 403;
          console.error(e);
          console.log(auth);
          console.log(jwt.decode(auth, { complete: true }));
          res.send({ error: { message: "jwt was not verified authorization" } });
          return;
        }
      }

      req.auth = auth;
      req.token = token;

      next();
    });

    app.get('/api/verify-auth', function (req, res) {
      res.send({ success: true });
    });
    app.get('/api/peers', function (req, res) {
      engine.peers.all(function (err, peers) {
        res.send({ peers: peers });
      });
    });
    app.get('/api/zones', function (req, res) {
      engine.zones.all(function (err, zones) {
        res.send({ zones: zones });
      });
    });
    function mapRecord(r) {
      return {
        id: r.id
      , zone: r.zone
      , name: r.name
      , tld: r.tld
      , type: r.type
      , class: r.class
      , ttl: r.ttl
      , data: r.data
      , address: r.address
      , exchange: r.exchange
      , priority: r.priority
      , value: r.value
      , aname: r.aname
      , flag: r.flag
      , tag: r.tag
      , weight: r.weight
      , port: r.port
      , target: r.target
      };
    }
    app.get('/api/zones/:zone/records', function (req, res) {
      engine.records.all(function (err, records) {
        res.send({ records: records.filter(function (r) {
          return r.zone === req.params.zone;
        }).map(mapRecord) });
      });
    });
    app.get('/api/records', function (req, res) {
      engine.records.all(function (err, records) {
        res.send({ records: records.map(mapRecord) });
      });
    });
    app.get('/api/records/:name', function (req, res) {
      engine.records.all(function (err, records) {
        res.send({ records: records.filter(function (r) {
          if (r.name === req.params.name) {
            return true;
          }

          var parts = req.params.name.split('.');
          parts.shift();
          if ('*.' + parts.join('.') === r.name) {
            return true;
          }
        }).map(mapRecord) });
      });
    });

    app.use('/', express.static(path.join(__dirname, 'public')));

    httpServer.listen(cli.http, function () {
      console.log(httpServer.address().address + '#' + httpServer.address().port + ' (http)');
    });
  }

  runHttp();

};