package auth

import (
	"context"
	"errors"
	"fmt"
	"net/url"
	"strings"
	"time"

	"github.com/MicahParks/keyfunc/v3"
	"github.com/golang-jwt/jwt/v5"
)

type Verifier struct {
	jwks           keyfunc.Keyfunc
	expectedIssuer string
	enabled        bool
	cancel         context.CancelFunc
}

func NewVerifier(neonAuthURL string) (*Verifier, error) {
	trimmed := strings.TrimSpace(neonAuthURL)
	if trimmed == "" {
		return &Verifier{enabled: false}, nil
	}

	parsed, err := url.Parse(trimmed)
	if err != nil {
		return nil, fmt.Errorf("parse neon auth url: %w", err)
	}

	expectedIssuer := fmt.Sprintf("%s://%s", parsed.Scheme, parsed.Host)
	jwksURL := fmt.Sprintf("%s/.well-known/jwks.json", trimmed)

	ctx, cancel := context.WithCancel(context.Background())

	jwks, err := keyfunc.NewDefaultCtx(ctx, []string{jwksURL})
	if err != nil {
		cancel()
		return nil, fmt.Errorf("create jwks: %w", err)
	}

	return &Verifier{
		jwks:           jwks,
		expectedIssuer: expectedIssuer,
		enabled:        true,
		cancel:         cancel,
	}, nil
}

func (v *Verifier) Enabled() bool {
	return v.enabled
}

func (v *Verifier) Close() {
	if v.cancel != nil {
		v.cancel()
	}
}

func (v *Verifier) Verify(tokenString string) (jwt.MapClaims, error) {
	if !v.enabled {
		return nil, errors.New("neon auth verifier is disabled")
	}

	token, err := jwt.Parse(tokenString, v.jwks.Keyfunc,
		jwt.WithIssuer(v.expectedIssuer),
		jwt.WithValidMethods([]string{"EdDSA"}),
		jwt.WithAudience(v.expectedIssuer),
		jwt.WithLeeway(15*time.Second),
	)
	if err != nil {
		return nil, err
	}

	claims, ok := token.Claims.(jwt.MapClaims)
	if !ok || !token.Valid {
		return nil, errors.New("invalid token claims")
	}
	return claims, nil
}