<?php

namespace TwoFAS\TwoFAS\Authentication;

use Exception;
use TwoFAS\Api\Exception\Exception as API_Exception;
use TwoFAS\TwoFAS\Core\Legacy_Mode_Checker;
use TwoFAS\TwoFAS\Exceptions\Response\Errors;
use TwoFAS\TwoFAS\Exceptions\User_Not_Found_Exception;
use TwoFAS\TwoFAS\Helpers\Flash;
use TwoFAS\TwoFAS\Hooks\Authenticate_Filter;
use TwoFAS\TwoFAS\Http\JSON_Response;
use TwoFAS\TwoFAS\Http\Redirection_Response;
use TwoFAS\TwoFAS\Http\Request;
use TwoFAS\TwoFAS\Http\View_Response;
use TwoFAS\TwoFAS\Integration\API_Wrapper;
use TwoFAS\TwoFAS\Storage\Authentication_Storage;
use TwoFAS\TwoFAS\Storage\Storage;
use WP_Error;
use WP_User;

/**
 * This class displays a configuration confirmation view and also handles a confirmation request.
 */
final class Configuration_Confirmation extends Login_Handler {

	/**
	 * @var Authentication_Storage
	 */
	private $authentication_storage;

	/**
	 * @var Request
	 */
	private $request;

	/**
	 * @var Flash
	 */
	private $flash;

	/**
	 * @var API_Wrapper
	 */
	private $api_wrapper;

	/**
	 * @var Legacy_Mode_Checker
	 */
	private $legacy_mode_checker;

	/**
	 * @param Login_Support       $login_support
	 * @param Storage             $storage
	 * @param Request             $request
	 * @param Flash               $flash
	 * @param API_Wrapper         $api_wrapper
	 * @param Legacy_Mode_Checker $legacy_mode_checker
	 */
	public function __construct(
		Login_Support $login_support,
		Storage $storage,
		Request $request,
		Flash $flash,
		API_Wrapper $api_wrapper,
		Legacy_Mode_Checker $legacy_mode_checker
	) {
		parent::__construct( $login_support );
		$this->authentication_storage = $storage->get_authentication_storage();
		$this->request                = $request;
		$this->flash                  = $flash;
		$this->api_wrapper            = $api_wrapper;
		$this->legacy_mode_checker    = $legacy_mode_checker;
	}

	/**
	 * @param null|WP_Error|WP_User $user
	 *
	 * @return bool
	 */
	public function supports( $user ) {
		if ( $this->login_support->has_final_response() ) {
			return false;
		}

		try {
			$this->get_wp_user();
		} catch ( User_Not_Found_Exception $e ) {
			return false;
		}

		return $this->legacy_mode_checker->totp_is_obligatory_or_legacy_mode_is_active()
			&& ! $this->user_storage->is_totp_enabled()
			&& $this->user_storage->is_totp_configured();
	}

	/**
	 * @param null|WP_Error|WP_User $user
	 *
	 * @return bool|JSON_Response|Redirection_Response|View_Response
	 */
	protected function handle( $user ) {
		try {
			if ( $this->can_perform_action( Login_Action::TOTP_CONFIRMATION ) ) {
				$this->confirm();
			} else {
				$this->authenticate_via_totp();
			}
		} catch ( Exception $e ) {
			$this->capture_exception( $e );
		}

		return $this->fallback( $user );
	}

	/**
	 * @param string $action
	 *
	 * @return bool
	 */
	private function can_perform_action( $action ) {
		return $this->request->is_login_action_equal_to( $action );
	}

	/**
	 * @throws API_Exception
	 * @throws User_Not_Found_Exception
	 */
	private function confirm() {
		if ( $this->authentication_storage->is_authentication_expired() ) {
			$final_response = $this->json_error( Errors::AUTHENTICATION_EXPIRED_ERROR, 403 );
			$this->login_support->set_final_response( $final_response );

			return;
		}

		$code = $this->request->post( Authenticate_Filter::TWOFAS_CODE_KEY );

		if ( empty( $code ) ) {
			$this->login_support->set_error( Errors::EMPTY_CODE );
			$final_response = $this->view( 'login/totp_confirmation.html.twig' );
			$this->login_support->set_final_response( $final_response );

			return;
		}

		$authentications = $this->authentication_storage->get_authentications();
		$result          = $this->api_wrapper->check_code( $authentications, $code );

		if ( $result->accepted() ) {
			$this->user_storage->enable_totp();
			$this->user_storage->enable_2fa();
			$this->flash->add_message( 'success', 'totp-enabled' );
			$final_response = $this->json( array( 'user_id' => $this->get_user_id() ), 200 );
			$this->login_support->set_final_response( $final_response );
		} elseif ( $result->canRetry() ) {
			$final_response = $this->view( 'login/totp_confirmation.html.twig' );

			$this->login_support->set_final_response( $final_response );
			$this->login_support->set_error( Errors::INVALID_CODE );
		} else {
			$this->user_storage->block_user();
			$final_response = $this->json_error( Errors::AUTHENTICATION_LIMIT_ERROR, 403 );
			$this->login_support->set_final_response( $final_response );
		}
	}

	/**
	 * @throws API_Exception
	 * @throws User_Not_Found_Exception
	 */
	private function authenticate_via_totp() {
		if ( ! $this->authentication_storage->has_open_authentication() ) {
			$integration_user = $this->api_wrapper->get_integration_user_by_external_id( $this->get_user_id() );

			if ( is_null( $integration_user ) ) {
				$final_response = $this->json_error( Errors::INTEGRATION_USER_ERROR, 404 );
				$this->login_support->set_final_response( $final_response );

				return;
			}

			$authentication = $this->api_wrapper->request_auth_via_totp( $integration_user->getTotpSecret() );
			$this->authentication_storage->open_authentication( $authentication );
		}

		$final_response = $this->view( 'login/totp_confirmation.html.twig' );
		$this->login_support->set_final_response( $final_response );
	}
}