local _M = {}

-- constant tier ids
local tier_id_anonymous = 0
local tier_id_free = 1

-- fallback - remember to keep those updated
local anon_limits = {
    ["tierID"] = tier_id_anonymous,
    ["tierName"] = "anonymous",
    ["upload"] = 655360,
    ["download"] = 655360,
    ["maxUploadSize"] = 1073741824,
    ["registry"] = 250
}

-- get all non empty authentication headers from request, we want to return
-- all of them and let accounts service deal with validation and prioritisation
function _M.get_auth_headers()
    local utils = require("utils")
    local request_headers = ngx.req.get_headers()
    local headers = {}

    -- try to extract skynet-jwt cookie from cookie header
    local skynet_jwt_cookie = utils.extract_cookie(request_headers["Cookie"], "skynet[-]jwt")

    -- if skynet-jwt cookie is present, pass it as is
    if skynet_jwt_cookie then
        headers["Cookie"] = skynet_jwt_cookie
    end

    -- if authorization header is set, pass it as is
    if request_headers["Authorization"] then
        headers["Authorization"] = request_headers["Authorization"]
    end

    -- if skynet api key header is set, pass it as is
    if request_headers["Skynet-Api-Key"] then
        headers["Skynet-Api-Key"] = request_headers["Skynet-Api-Key"]
    end

    return headers
end

-- handle request exit when access to portal should be restricted to authenticated users only
function _M.exit_access_unauthorized(message)
    ngx.status = ngx.HTTP_UNAUTHORIZED
    ngx.header["content-type"] = "text/plain"
    ngx.say(message or "Portal operator restricted access to authenticated users only")
    return ngx.exit(ngx.status)
end

-- handle request exit when access to portal should be restricted to subscription users only
function _M.exit_access_forbidden(message)
    ngx.status = ngx.HTTP_FORBIDDEN
    ngx.header["content-type"] = "text/plain"
    ngx.say(message or "Portal operator restricted access to users with active subscription only")
    return ngx.exit(ngx.status)
end

function _M.accounts_enabled()
    return os.getenv("PORTAL_MODULES"):match("a") ~= nil
end

function _M.get_account_limits()
    local cjson = require('cjson')
    local utils = require('utils')
    local auth_headers = _M.get_auth_headers()

    -- simple case of anonymous request - none of available auth headers exist
    if utils.is_table_empty(auth_headers) then
        return anon_limits
    end

    if ngx.var.account_limits == "" then
        local httpc = require("resty.http").new()

        -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
        local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits?unit=byte", {
            headers = auth_headers,
        })

        -- fail gracefully in case /user/limits failed
        if err or (res and res.status ~= ngx.HTTP_OK) then
            ngx.log(ngx.ERR, "Failed accounts service request /user/limits?unit=byte: ", err or ("[HTTP " .. res.status .. "] " .. res.body))
            ngx.var.account_limits = cjson.encode(anon_limits)
        elseif res and res.status == ngx.HTTP_OK then
            ngx.var.account_limits = res.body
        end
    end

    return cjson.decode(ngx.var.account_limits)
end

-- detect whether current user is authenticated
function _M.is_authenticated()
    if not _M.accounts_enabled() then return false end

    local limits = _M.get_account_limits()

    return limits.tierID > tier_id_anonymous
end

-- detect whether current user has active subscription
function _M.has_subscription()
    local limits = _M.get_account_limits()

    return limits.tierID > tier_id_free
end

function _M.is_auth_required()
    return os.getenv("ACCOUNTS_LIMIT_ACCESS") == "authenticated"
end

function _M.is_subscription_required()
    return os.getenv("ACCOUNTS_LIMIT_ACCESS") == "subscription"
end

function is_access_always_allowed()
    -- options requests do not attach cookies - should always be available
    -- requests should not be limited based on accounts if accounts are not enabled
    return ngx.req.get_method() == "OPTIONS" or not _M.accounts_enabled()
end

-- check whether access is restricted if portal requires authorization
function _M.is_access_unauthorized()
    if is_access_always_allowed() then return false end

    -- check if authentication is required and request is not authenticated
    return _M.is_auth_required() and not _M.is_authenticated()
end

-- check whether user is authenticated but does not have access to given resources
function _M.is_access_forbidden()
    if is_access_always_allowed() then return false end

    -- check if active subscription is required and request is from user without it
    return _M.is_subscription_required() and not _M.has_subscription()
end

return _M