import { NotAuthenticated } from '@feathersjs/errors'
import { Paginated } from '@feathersjs/feathers/lib'
import crypto from 'crypto'
import { iff, isProvider } from 'feathers-hooks-common'

import { ServerSettingInterface } from '@xrengine/common/src/dbmodels/ServerSetting'
import logger from '@xrengine/common/src/logger'

import { Application } from '../../../declarations'
import authenticate from '../../hooks/authenticate'
import setResponseStatusCode from '../../hooks/set-response-status-code'
import { getUserRepos } from '../../projects/project/github-helper'
import { UnauthorizedException } from '../../util/exceptions/exception'
import { GithubRepoAccess } from './github-repo-access.class'
import githubRepoAccessDocs from './github-repo-access.docs'
import hooks from './github-repo-access.hooks'
import createModel from './github-repo-access.model'

declare module '@xrengine/common/declarations' {
  interface ServiceTypes {
    'github-repo-access': any
    'github-repo-access-webhook': any
    'github-repo-access-refresh': any
  }
}

const SIG_HEADER_NAME = 'x-hub-signature-256'
const SIG_HASH_ALGORITHM = 'sha256'

/**
 * Initialize our service with any options it requires and docs
 */
export default (app: Application): void => {
  const options = {
    Model: createModel(app),
    paginate: app.get('paginate'),
    multi: true
  }

  const event = new GithubRepoAccess(options, app)
  event.docs = githubRepoAccessDocs

  app.use('github-repo-access', event)

  const service = app.service('github-repo-access')

  service.hooks(hooks)

  app.use('github-repo-access-webhook', {
    create: async (data, params): Promise<string> => {
      try {
        const secret = ((await app.service('server-setting').find()) as Paginated<ServerSettingInterface>).data[0]
          .githubWebhookSecret
        const sig = Buffer.from(params.headers[SIG_HEADER_NAME] || '', 'utf8')
        const hmac = crypto.createHmac(SIG_HASH_ALGORITHM, secret)
        const digest = Buffer.from(SIG_HASH_ALGORITHM + '=' + hmac.update(JSON.stringify(data)).digest('hex'), 'utf8')
        if (sig.length !== digest.length || !crypto.timingSafeEqual(digest, sig)) {
          throw new UnauthorizedException('Invalid secret')
        }
        const { blocked_user, member, membership } = data
        const ghUser = member
          ? member.login
          : membership
          ? membership.user.login
          : blocked_user
          ? blocked_user.login
          : null
        if (!ghUser) return ''
        const githubIdentityProvider = await app.service('identity-provider').Model.findOne({
          where: {
            type: 'github',
            accountIdentifier: ghUser
          }
        })
        if (!githubIdentityProvider) return ''
        const user = await app.service('user').get(githubIdentityProvider.userId)
        // GitHub's API doesn't always reflect changes to user repo permissions right when a webhook is sent.
        // 10 seconds should be more than enough time for the changes to propagate.
        setTimeout(() => {
          app.service('github-repo-access-refresh').find({ user })
        }, 10000)
        return ''
      } catch (err) {
        console.error(err)
        throw err
      }
    }
  })

  app.service('github-repo-access-webhook').hooks({
    after: {
      create: [setResponseStatusCode(200)]
    }
  })
  app.use('github-repo-access-refresh', {
    find: async (params): Promise<void> => {
      try {
        const githubIdentityProvider = await (app.service('identity-provider') as any).Model.findOne({
          where: {
            userId: params.user.id,
            type: 'github'
          }
        })
        if (githubIdentityProvider) {
          const existingGithubRepoAccesses = await app.service('github-repo-access').Model.findAll({
            paginate: false,
            where: {
              identityProviderId: githubIdentityProvider.id
            }
          })
          const githubRepos = await getUserRepos(githubIdentityProvider.oauthToken)
          await Promise.all(
            githubRepos.map(async (repo) => {
              const matchingAccess = existingGithubRepoAccesses.find((access) => access.repo === repo.html_url)
              const hasWriteAccess = repo.permissions.admin || repo.permissions.maintain || repo.permissions.push
              if (!matchingAccess)
                await app.service('github-repo-access').create({
                  repo: repo.html_url,
                  identityProviderId: githubIdentityProvider.id,
                  hasWriteAccess
                })
              else
                await app.service('github-repo-access').patch(matchingAccess.id, {
                  hasWriteAccess
                })
            })
          )
          const urlsOnly = githubRepos.map((repo) => repo.html_url)
          await Promise.all(
            existingGithubRepoAccesses.map(async (repoAccess) => {
              if (urlsOnly.indexOf(repoAccess.repo) < 0) await app.service('github-repo-access').remove(repoAccess.id)
            })
          )
        }
        return
      } catch (err) {
        logger.error(err)
        throw err
      }
    }
  })

  app.service('github-repo-access-refresh').hooks({
    before: {
      find: [iff(isProvider('external'), authenticate() as any)]
    }
  })
}