oauth2.go

// Copyright 2017-2026 Allow2 Pty Ltd. All rights reserved.
// Use of this source code is governed by the Allow2 API and SDK Licence.

package allow2service

import (
	"fmt"
	"net/url"
)

// oauth2Manager handles the OAuth2 authorization flow for Allow2 Service API integrations.
type oauth2Manager struct {
	clientID     string
	clientSecret string
	tokenStorage TokenStorage
	httpClient   HTTPClient
	apiHost      string
}

// refreshBuffer is the number of seconds before actual expiry to trigger a refresh.
const refreshBuffer = 300

// GetAuthorizeURL builds the OAuth2 authorization URL.
func (m *oauth2Manager) GetAuthorizeURL(userID, redirectURI, state string) string {
	params := url.Values{}
	params.Set("response_type", "code")
	params.Set("client_id", m.clientID)
	params.Set("redirect_uri", redirectURI)
	params.Set("user_id", userID)

	if state != "" {
		params.Set("state", state)
	}

	return m.apiHost + "/oauth2/authorize?" + params.Encode()
}

// ExchangeCode exchanges an authorization code for access and refresh tokens.
func (m *oauth2Manager) ExchangeCode(userID, code, redirectURI string) (*OAuthTokens, error) {
	response, err := m.httpClient.Post(
		m.apiHost+"/oauth2/token",
		map[string]interface{}{
			"grant_type":    "authorization_code",
			"code":          code,
			"redirect_uri":  redirectURI,
			"client_id":     m.clientID,
			"client_secret": m.clientSecret,
		},
		nil,
	)
	if err != nil {
		return nil, &ApiError{
			Allow2Error: Allow2Error{Message: fmt.Sprintf("OAuth2 token exchange request failed: %v", err)},
		}
	}

	if !response.IsSuccess() {
		body := response.JSON()
		desc := ""
		if body != nil {
			if d, ok := body["error_description"].(string); ok {
				desc = d
			}
		}
		if desc == "" {
			desc = response.Body
		}
		return nil, &ApiError{
			Allow2Error:    Allow2Error{Message: "OAuth2 token exchange failed: " + desc},
			HTTPStatusCode: response.StatusCode,
			ResponseBody:   body,
		}
	}

	body := response.JSON()
	if body == nil {
		return nil, &ApiError{
			Allow2Error:    Allow2Error{Message: "OAuth2 token exchange returned invalid JSON"},
			HTTPStatusCode: response.StatusCode,
		}
	}

	tokens := OAuthTokensFromAPIResponse(body)
	if err := m.tokenStorage.Store(userID, tokens); err != nil {
		return nil, &Allow2Error{Message: fmt.Sprintf("Failed to store tokens: %v", err)}
	}

	return tokens, nil
}

// GetAccessToken returns a valid access token, refreshing if necessary.
func (m *oauth2Manager) GetAccessToken(userID string) (string, error) {
	tokens, err := m.tokenStorage.Retrieve(userID)
	if err != nil {
		return "", &TokenExpiredError{
			Allow2Error: Allow2Error{Message: fmt.Sprintf("Failed to retrieve tokens: %v", err)},
			UserID:      userID,
		}
	}

	if tokens == nil {
		return "", &TokenExpiredError{
			Allow2Error: Allow2Error{Message: "No tokens stored for user. Authorization required."},
			UserID:      userID,
		}
	}

	if !tokens.IsExpired(refreshBuffer) {
		return tokens.AccessToken, nil
	}

	refreshed, err := m.RefreshTokens(userID, tokens)
	if err != nil {
		return "", err
	}

	return refreshed.AccessToken, nil
}

// RefreshTokens refreshes the OAuth2 tokens using the refresh token.
func (m *oauth2Manager) RefreshTokens(userID string, tokens *OAuthTokens) (*OAuthTokens, error) {
	response, err := m.httpClient.Post(
		m.apiHost+"/oauth2/token",
		map[string]interface{}{
			"grant_type":    "refresh_token",
			"refresh_token": tokens.RefreshToken,
			"client_id":     m.clientID,
			"client_secret": m.clientSecret,
		},
		nil,
	)
	if err != nil {
		_ = m.tokenStorage.Delete(userID)
		return nil, &TokenExpiredError{
			Allow2Error: Allow2Error{Message: fmt.Sprintf("OAuth2 token refresh request failed: %v", err)},
			UserID:      userID,
		}
	}

	if !response.IsSuccess() {
		_ = m.tokenStorage.Delete(userID)
		return nil, &TokenExpiredError{
			Allow2Error: Allow2Error{
				Message: fmt.Sprintf("OAuth2 token refresh failed. Re-authorization required. HTTP %d", response.StatusCode),
			},
			UserID: userID,
		}
	}

	body := response.JSON()
	if body == nil {
		_ = m.tokenStorage.Delete(userID)
		return nil, &TokenExpiredError{
			Allow2Error: Allow2Error{Message: "OAuth2 token refresh returned invalid JSON"},
			UserID:      userID,
		}
	}

	newTokens := OAuthTokensFromAPIResponse(body)
	if err := m.tokenStorage.Store(userID, newTokens); err != nil {
		return nil, &Allow2Error{Message: fmt.Sprintf("Failed to store refreshed tokens: %v", err)}
	}

	return newTokens, nil
}

// CheckPairingStatus checks whether a user's service account pairing is still valid.
func (m *oauth2Manager) CheckPairingStatus(userID string) bool {
	exists, err := m.tokenStorage.Exists(userID)
	if err != nil || !exists {
		return false
	}

	accessToken, err := m.GetAccessToken(userID)
	if err != nil {
		return false
	}

	response, err := m.httpClient.Post(
		m.apiHost+"/oauth2/checkStatus",
		map[string]interface{}{
			"access_token":  accessToken,
			"client_id":     m.clientID,
			"client_secret": m.clientSecret,
		},
		nil,
	)
	if err != nil || !response.IsSuccess() {
		return false
	}

	body := response.JSON()
	if body == nil {
		return false
	}

	if paired, ok := body["paired"]; ok {
		return toBool(paired)
	}
	if active, ok := body["active"]; ok {
		return toBool(active)
	}
	return false
}

// Unpair deletes stored tokens for a user.
func (m *oauth2Manager) Unpair(userID string) error {
	return m.tokenStorage.Delete(userID)
}

// HasTokens checks whether tokens exist for the given user.
func (m *oauth2Manager) HasTokens(userID string) bool {
	exists, err := m.tokenStorage.Exists(userID)
	if err != nil {
		return false
	}
	return exists
}

// toBool converts an interface{} value to bool.
func toBool(v interface{}) bool {
	switch val := v.(type) {
	case bool:
		return val
	case float64:
		return val != 0
	case string:
		return val == "true" || val == "1"
	default:
		return false
	}
}