package auth

import (
	"encoding/base64"
	"fmt"
	"os"
	"strconv"

	"github.com/gin-gonic/gin"
	log "github.com/sirupsen/logrus"
)

func Header(c *gin.Context, key string) string {
	if values, _ := c.Request.Header[key]; len(values) > 0 {
		return values[0]
	}
	return ""
}

func BasicAuth() gin.HandlerFunc {
	realm := "Authorization Required"
	realm = "Basic realm=" + strconv.Quote(realm)
	user := os.Getenv("USER")
	password := os.Getenv("PASSWORD")
	enabled := isEnabled(user, password)
	if enabled {
		log.Warn("Auth mode enabled")
		log.Warn(fmt.Sprintf("Visit http://%s:%s@0.0.0.0:8080", user, password))
	}
	return func(c *gin.Context) {
		header := Header(c, "Authorization")
		if enabled && header != authorizationHeader(user, password) {
			// Credentials doesn't match, we return 401 and abort handlers chain.
			c.Header("WWW-Authenticate", realm)
			c.AbortWithStatus(401)
			return
		}
		c.Next()
	}
}

func isEnabled(user, password string) bool {
	switch {
	case user == "":
		return false
	case password == "":
		return false
	default:
		return true
	}
}

func authorizationHeader(user, password string) string {
	base := user + ":" + password
	return "Basic " + base64.StdEncoding.EncodeToString([]byte(base))
}