package server

import (
	"encoding/json"
	"net/http"
	"time"
)

// LoginClient abstracts the MCIAS login call so the handler can work
// with the real client or a test fake.
type LoginClient interface {
	Login(username, password string) (token string, expiresIn int, err error)
}

// tokenResponse is the JSON body returned by the token endpoint.
type tokenResponse struct {
	Token     string `json:"token"`
	ExpiresIn int    `json:"expires_in"`
	IssuedAt  string `json:"issued_at"`
}

// TokenHandler returns an http.HandlerFunc that exchanges Basic
// credentials for a bearer token via the given LoginClient.
func TokenHandler(loginClient LoginClient) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		username, password, ok := r.BasicAuth()
		if !ok || username == "" {
			writeOCIError(w, "UNAUTHORIZED", http.StatusUnauthorized, "basic authentication required")
			return
		}

		token, expiresIn, err := loginClient.Login(username, password)
		if err != nil {
			writeOCIError(w, "UNAUTHORIZED", http.StatusUnauthorized, "authentication failed")
			return
		}

		w.Header().Set("Content-Type", "application/json")
		_ = json.NewEncoder(w).Encode(tokenResponse{
			Token:     token,
			ExpiresIn: expiresIn,
			IssuedAt:  time.Now().UTC().Format(time.RFC3339),
		})
	}
}