<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>Redirecting...</title>
        <style>
        body {
          background-color: #ffcccc;
        }
        </style>
    </head>
    <body>
        Redirecting...

        <!-- TODO permanently cache with appcache (or service worker?) -->
        <!-- TODO slim this all down to a single file -->
        <script src="../../assets/oauth3.org/oauth3.core.js"></script>
        <script>
          ;(function () {
            'use strict';

            var loc = window.location;
            var loginWinObj = window.OAUTH3.query.parse(loc.hash || loc.search);
            var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/callback.html]";

            if (loginWinObj.debug) {
              console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
            }
            if (!loginWinObj.state) {
              console.error(loginWinObj);
              window.alert(prefix + ": missing state parameter");
            }

            // '--oauth3-callback-' prefix exist for security so that an attacker can't social engineer execution an arbitrary function
            // TODO finalize name of '--oauth3-callback-', this will be a defacto standard
            // TODO maybe call it 'self-xss-' or 'hack-my-account-' to discourage people from doing dumb things?
            var callbackName = '--oauth3-callback-' + loginWinObj.state;

            console.log(prefix, loc.href);
            console.log(prefix, 'Parsed URL Obj:', loginWinObj);
            console.log(prefix, 'callbackName:', callbackName);

            window.oauth3complete = function () {
              // The hacks that used to be necessary for this on iOS should no longer be necessary in iOS 9+
              // see https://bugs.chromium.org/p/chromium/issues/detail?id=136610 and https://crbug.com/423444
              // TODO Should we still create an abstraction for older versions?
              if (window.parent) {
                // iframe
                try {
                  window.parent[callbackName](loginWinObj);
                  return;
                } catch(e) {
                  console.warn(e);
                }
              }

              if (window.opener) {
                try {
                  window.opener[callbackName](loginWinObj);
                  return;
                } catch(e) {
                  console.warn(e);
                }
              }

              console.error("neither window.parent nor window.opener existed to complete callback");

              /*
              // the caller should close (or signal to close) the window
              try {
                window.close();
              } catch (err) {
                console.log('Error: ', err);
              }
              */
            };

            if (!loginWinObj.debug) {
              window.oauth3complete();
            }
            else {
              document.body.innerHTML = window.location.hostname + window.location.pathname
                    + '<br/><br/>You\'ve passed the \'debug\' parameter so we\'re pausing'
                    + ' to let you look at logs or whatever it is that you intended to do.'
                    + '<br/><br/>Continue with callback: <a href="javascript:window.oauth3complete()">javascript:window.oauth3complete()</' + 'a>';
              return;
            }

          }());
        </script>
    </body>
</html>