// for ngx_http_auth_request_module authentication
// make sure you have cookie_domain set properly
// depends on https://git.mia.jetzt/sysconf/tree/patches/nginx_auth_redirect.patch

use axum::{
    extract::{Path, State},
    http::StatusCode,
    response::{IntoResponse, Redirect, Response},
    routing::get,
    Router,
};
use axum_extra::extract::CookieJar;

use crate::server::{account_auth, store::Store};

use super::{ApiState, WebBase};

pub fn bind(app: Router<ApiState>) -> Router<ApiState> {
    app.route("/nginx_check/:scope", get(nginx_check))
}

#[axum::debug_handler(state = ApiState)]
async fn nginx_check(
    jar: CookieJar,
    Path(scope): Path<String>,
    State(store): State<Store>,
    State(WebBase(web_base)): State<WebBase>,
) -> Response {
    let nevermind = || Redirect::to(&format!("{web_base}/logout")).into_response();
    let Some(name) = account_auth(&jar, &store).await else {
        return nevermind();
    };
    let Some(account) = store.get_account(&name).await else {
        return nevermind();
    };
    if account.scopes.contains(&scope) {
        StatusCode::OK.into_response()
    } else {
        StatusCode::FORBIDDEN.into_response()
    }
}