<?php

declare(strict_types=1);

namespace app\api\controller\v1;

use app\common\controller\Api;
use app\common\library\AgentJwt;
use app\common\model\ChannelManage;
use app\admin\model\Admin;
use Webman\Http\Request;
use support\Response;

/**
 * API v1 鉴权接口
 */
class Auth extends Api
{
    /**
     * Agent Token 类型
     */
    public const TOKEN_TYPE = 'agent';

    /**
     * 时间戳有效范围（秒），防止重放攻击
     */
    protected int $timeTolerance = 300;

    /**
     * 获取鉴权 Token
     * 参数：signature（签名）、secret（密钥）、agent_id（代理）、time（时间戳）
     * 返回：authtoken；失败返回 code=0 及失败信息
     */
    public function authToken(Request $request): Response
    {
        $response = $this->initializeApi($request);
        if ($response !== null) {
            return $response;
        }

        $signature = $request->post('signature', $request->get('signature', ''));
        $secret = $request->post('secret', $request->get('secret', ''));
        $agentId = $request->post('agent_id', $request->get('agent_id', ''));
        $time = $request->post('time', $request->get('time', ''));

        if ($signature === '' || $secret === '' || $agentId === '' || $time === '') {
            return $this->error(__('Parameter %s can not be empty', ['signature/secret/agent_id/time']));
        }

        $timestamp = (int) $time;
        if ($timestamp <= 0) {
            return $this->error(__('Invalid timestamp'));
        }

        $now = time();
        if ($timestamp < $now - $this->timeTolerance || $timestamp > $now + $this->timeTolerance) {
            return $this->error(__('Timestamp expired'));
        }

        $admin = Admin::where('agent_id', $agentId)->find();
        if (!$admin) {
            return $this->error(__('Agent not found'));
        }

        $channelId = (int) ($admin->channel_id ?? 0);
        if ($channelId <= 0) {
            return $this->error(__('Agent not found'));
        }

        $channel = ChannelManage::where('id', $channelId)->find();
        if (!$channel || $channel->secret === '') {
            return $this->error(__('Agent not found'));
        }

        if ($channel->secret !== $secret) {
            return $this->error(__('Invalid agent or secret'));
        }

        $expectedSignature = hash_hmac('sha256', $agentId . $time, $channel->secret);
        if (!hash_equals($expectedSignature, $signature)) {
            return $this->error(__('Invalid signature'));
        }

        $expire = (int) config('buildadmin.agent_auth.token_expire', 86400);
        $payload = [
            'agent_id'   => $agentId,
            'channel_id' => $channel->id,
            'admin_id'   => $admin->id,
        ];
        $authtoken = AgentJwt::encode($payload, $expire);

        return $this->success('', [
            'authtoken' => $authtoken,
        ]);
    }
}