fediglam/src/main/api.zig

const std = @import("std");
const util = @import("util");
const builtin = @import("builtin");

const db = @import("./db.zig");
const models = @import("./db/models.zig");
pub const DateTime = util.DateTime;
pub const Uuid = util.Uuid;
const Config = @import("./main.zig").Config;

const PwHash = std.crypto.pwhash.scrypt;
const pw_hash_params = PwHash.Params.interactive;
const pw_hash_encoding = .phc;
const pw_hash_buf_size = 128;

const token_len = 20;
const token_str_len = std.base64.standard.Encoder.calcSize(token_len);

const invite_code_len = 16;
const invite_code_str_len = std.base64.url_safe.Encoder.calcSize(invite_code_len);

const services = struct {
    const communities = @import("./api/communities.zig");
    const users = @import("./api/users.zig");
    const auth = @import("./api/auth.zig");
    const invites = @import("./api/invites.zig");
};

pub const RegistrationRequest = struct {
    username: []const u8,
    password: []const u8,
    invite_code: []const u8,
    email: ?[]const u8,
};

pub const InviteRequest = struct {
    pub const Type = services.invites.InviteType;

    name: ?[]const u8 = null,
    expires_at: ?DateTime = null, // TODO: Change this to lifespan
    max_uses: ?usize = null,

    invite_type: Type = .user, // must be user unless the creator is an admin
    to_community: ?[]const u8 = null, // only valid on admin community
};

// Frees an api struct and its fields allocated from alloc
pub fn free(alloc: std.mem.Allocator, val: anytype) void {
    switch (@typeInfo(@TypeOf(val))) {
        .Pointer => |ptr_info| switch (ptr_info.size) {
            .One => {
                free(alloc, val.*);
                alloc.destroy(val);
            },
            .Slice => {
                for (val) |elem| free(alloc, elem);
                alloc.free(val);
            },
            else => unreachable,
        },
        .Struct => inline for (std.meta.fields(@TypeOf(val))) |f| free(alloc, @field(val, f.name)),
        .Array => for (val) |elem| free(alloc, elem),
        .Optional => if (val) |opt| free(alloc, opt),
        .Bool, .Int, .Float, .Enum => {},
        else => unreachable,
    }
}

pub fn firstIndexOf(str: []const u8, ch: u8) ?usize {
    for (str) |c, i| {
        if (c == ch) return i;
    }

    return null;
}

pub const Scheme = models.Community.Scheme;

pub const LoginResult = struct {
    user_id: Uuid,
    token: [token_str_len]u8,
    issued_at: DateTime,
};

threadlocal var prng: std.rand.DefaultPrng = undefined;

pub fn initThreadPrng(seed: u64) void {
    prng = std.rand.DefaultPrng.init(seed +% std.Thread.getCurrentId());
}

pub fn getRandom() std.rand.Random {
    return prng.random();
}

// Returned slice points into buf
fn hashPassword(password: []const u8, alloc: std.mem.Allocator, buf: *[pw_hash_buf_size]u8) ![]const u8 {
    return PwHash.strHash(password, .{ .allocator = alloc, .params = pw_hash_params, .encoding = pw_hash_encoding }, buf);
}

pub const ApiSource = struct {
    db: db.Database,
    internal_alloc: std.mem.Allocator,
    config: Config,

    pub const Conn = ApiConn(db.Database);

    const root_username = "root";
    const root_password_envvar = "CLUSTER_ROOT_PASSWORD";

    pub fn init(alloc: std.mem.Allocator, cfg: Config) !ApiSource {
        var self = ApiSource{
            .db = try db.Database.init(),
            .internal_alloc = alloc,
            .config = cfg,
        };

        if ((try services.users.lookupByUsername(&self.db, root_username, null)) == null) {
            std.log.info("No cluster root user detected. Creating...", .{});

            const root_password = std.os.getenv(root_password_envvar) orelse {
                std.log.err(
                    "No root user created and no password specified. Please provide the password for the root user by the ${s} environment variable for initial startup. This only needs to be done once",
                    .{root_password_envvar},
                );
                @panic("No root password provided");
            };

            _ = try services.users.create(&self.db, root_username, root_password, null, .{}, alloc);
        }

        return self;
    }

    fn getCommunityFromHost(self: *ApiSource, host: []const u8) !?Uuid {
        if (try self.db.execRow(
            &.{Uuid},
            "SELECT id FROM community WHERE host = ?",
            .{host},
            null,
        )) |result| return result[0];

        // Test for cluster admin community
        if (util.ciutf8.eql(self.config.cluster_host, host)) {
            return null;
        }

        return error.NoCommunity;
    }

    pub fn connectUnauthorized(self: *ApiSource, host: []const u8, alloc: std.mem.Allocator) !Conn {
        const community_id = try self.getCommunityFromHost(host);

        return Conn{
            .db = self.db,
            .internal_alloc = self.internal_alloc,
            .user_id = null,
            .community_id = community_id,
            .arena = std.heap.ArenaAllocator.init(alloc),
        };
    }

    pub fn connectToken(self: *ApiSource, host: []const u8, token: []const u8, alloc: std.mem.Allocator) !Conn {
        const community_id = try self.getCommunityFromHost(host);

        const token_info = try services.auth.tokens.verify(&self.db, token, community_id);

        return Conn{
            .db = self.db,
            .internal_alloc = self.internal_alloc,
            .user_id = token_info.user_id,
            .community_id = community_id,
            .arena = std.heap.ArenaAllocator.init(alloc),
        };
    }
};

fn ApiConn(comptime DbConn: type) type {
    return struct {
        const Self = @This();

        db: DbConn,
        internal_alloc: std.mem.Allocator, // used *only* for large, internal buffers
        user_id: ?Uuid,
        community_id: ?Uuid,
        arena: std.heap.ArenaAllocator,

        pub fn close(self: *Self) void {
            self.arena.deinit();
        }

        fn isAdmin(self: *Self) bool {
            // TODO
            return self.user_id != null and self.community_id == null;
        }

        pub fn login(self: *Self, username: []const u8, password: []const u8) !LoginResult {
            const user_id = (try services.users.lookupByUsername(&self.db, username, self.community_id)) orelse return error.InvalidLogin;
            try services.auth.passwords.verify(&self.db, user_id, password, self.internal_alloc);

            const token = try services.auth.tokens.create(&self.db, user_id);

            return LoginResult{
                .user_id = user_id,
                .token = token.value,
                .issued_at = token.info.issued_at,
            };
        }

        const TokenInfo = struct {
            username: []const u8,
        };
        pub fn getTokenInfo(self: *Self) !TokenInfo {
            if (self.user_id) |user_id| {
                const result = (try self.db.execRow(
                    &.{[]const u8},
                    "SELECT username FROM user WHERE id = ?",
                    .{user_id},
                    self.arena.allocator(),
                )) orelse {
                    return error.UserNotFound;
                };
                return TokenInfo{ .username = result[0] };
            }

            return error.Unauthorized;
        }

        pub fn createCommunity(self: *Self, origin: []const u8) !services.communities.Community {
            if (!self.isAdmin()) {
                return error.PermissionDenied;
            }

            return services.communities.create(&self.db, origin, null);
        }

        pub fn createInvite(self: *Self, options: InviteRequest) !services.invites.Invite {
            // Only logged in users can make invites
            const user_id = self.user_id orelse return error.PermissionDenied;

            const community_id = if (options.to_community) |host| blk: {
                // You can only specify a different community if you're on the admin domain
                if (self.community_id != null) return error.WrongCommunity;

                // Only admins can invite on the admin domain
                if (!self.isAdmin()) return error.PermissionDenied;

                break :blk (try services.communities.getByHost(&self.db, host, self.arena.allocator())).id;
            } else self.community_id;

            // Users can only make user invites
            if (options.invite_type != .user and !self.isAdmin()) return error.PermissionDenied;

            return try services.invites.create(&self.db, user_id, community_id, .{
                .name = options.name,
                .expires_at = options.expires_at,
                .max_uses = options.max_uses,
                .invite_type = options.invite_type,
            }, self.arena.allocator());
        }

        pub fn register(self: *Self, request: RegistrationRequest) !services.users.User {
            std.log.debug("registering user {s} with code {s}", .{ request.username, request.invite_code });
            const invite = try services.invites.getByCode(&self.db, request.invite_code, self.arena.allocator());

            if (!Uuid.eql(invite.to_community, self.community_id)) return error.NotFound;
            if (invite.max_uses != null and invite.times_used >= invite.max_uses.?) return error.InviteExpired;
            if (invite.expires_at != null and DateTime.now().isAfter(invite.expires_at.?)) return error.InviteExpired;

            if (self.community_id == null) @panic("Unimplmented");

            const user_id = try services.users.create(&self.db, request.username, request.password, self.community_id, .{ .invite_id = invite.id, .email = request.email }, self.internal_alloc);

            switch (invite.invite_type) {
                .user => {},
                .system => @panic("System user invites unimplemented"),
                .community_owner => {
                    try services.communities.transferOwnership(&self.db, self.community_id.?, user_id);
                },
            }

            return services.users.get(&self.db, user_id, self.arena.allocator()) catch |err| switch (err) {
                error.NotFound => error.Unexpected,
                else => err,
            };
        }
    };
}