<?php
/** DomFramework
  * @package domframework
  * @author Dominique Fournier <dominique@fournier38.fr>
  * @license BSD
  */

namespace Domframework;

 /*
  * To use it, the $serverKey must be defined. It can be created by example,
  * by using $serverKey = sha1 (microtime (true));
  */
class Authjwt extends Auth
{
  // PROPERTIES SET BY AUTH
  /** The JSON Web Token Server key if used
    */
  public $serverKey = null;

  /** The cipher key to decrypt the token
    */
  public $cipherKey = null;

  /** The allowed algorithms in array format
    * If null, all the algorithms are allowed
    * allowed : ['HS256', 'HS512', 'HS384']
    */
  public $allowedAlg = null;

  /** The algorithm to use, in $allowedAlg list
    */
  public $algorithm = "HS256";

  /** The directory to store the user credentials
    */
  public $cacheDir = "data/jwtCache";

  // INTERNAL PROPERTIES
  /** If the user is valid, return the payload in details
    */
  private $payload = null;

  /** Save the token
    */
  private $token = null;

  /** No connection to JWT
    */
  public function connect ()
  // {{{
  {
    return TRUE;
  }
  // }}}

  /** Try to authenticate the email/password of the user
    * If the token is valid, return all the data available in payload. Can
    * return a value without email attribute !
    * @param string $email Email not used (wait for Bearer)
    * @param string $password Password not used (wait for Bearer)
    */
  public function authentication ($email, $password)
  // {{{
  {
    if (! isset ($_SERVER["HTTP_AUTHENTICATION"]))
      throw new \Exception (dgettext ("domframework",
      "No Authentication available"), 401);
    if (substr ($_SERVER["HTTP_AUTHENTICATION"], 0, 7) !== "Bearer ")
      throw new \Exception (dgettext ("domframework",
      "No Bearer Authentication available"), 401);
    $token = substr ($_SERVER["HTTP_AUTHENTICATION"], 7);
    $jwt = new Jwt ();
    $uuid = $jwt->decode ($token, $this->serverKey, $this->allowedAlg,
      $this->cipherKey);
    $cachefile = new Cachefile ();
    $cachefile->directory = $this->cacheDir;
    $payload = $cachefile->read ((string)$uuid);
    // The JWT was tested in authparams. End of process
    if (empty ($uuid) || empty ($payload) || ! key_exists ("email", $payload))
    {
      return array ("lastname"  => "anonymous",
                    "firstname" => "",
                    "email"     => "anonymous");
    }
    $this->payload = $payload;
    return $payload;
  }
  // }}}

  /** Return all the parameters recorded for the authenticate user
    */
  public function getdetails ()
  // {{{
  {
    if (! is_array ($this->payload) ||
        key_exists ("email", $this->payload) &&
        $this->payload["email"] === "anonymous")
      return array ("lastname"  => "anonymous",
                    "firstname" => "",
                    "email"     => "anonymous");
    return $this->payload;
  }
  // }}}

  /** Save the auth data in cache directory and return the JWT token
    * Do not allow to store data if the $auth is anonymous
    * @param array $auth The authentication to save
    * @return string JWT token
    */
  public function createJwtToken ($auth)
  // {{{
  {
    if ($this->serverKey === null)
      return "";
    if (! key_exists ("email", $auth))
      throw new \Exception (dgettext ("domframework",
      "AuthJWT : No email available in auth"), 403);
    if ($auth["email"] === "anonymous")
      throw new \Exception (dgettext ("domframework",
      "AuthJWT : can not create token for anonymous"), 403);
    $uuid = Uuid::uuid4 ();
    $cachefile = new Cachefile ();
    $cachefile->directory = $this->cacheDir;
    $cachefile->write ($uuid, $auth);
    $jwt = new Jwt ();
    return $jwt->encode ($uuid,
        $this->serverKey, $this->algorithm, $this->cipherKey);
  }
  // }}}

  /** Method to change the password : unavailable in SESSION auth
    * @param string $oldpassword The old password (to check if the user have the
    * rights to change the password)
    * @param string $newpassword The new password to be recorded
    */
  public function changepassword ($oldpassword, $newpassword)
  // {{{
  {
    throw new \Exception (dgettext ("domframework",
    "The password can't be change for JWT users"), 405);
  }
  // }}}

  /** Method to overwrite the password (without oldpassword check)
    * Must be reserved to the administrators. For the users, use changepassword
    * method
    * @param string $email the user identifier to select
    * @param string $newpassword The new password to be recorded
    */
  public function overwritepassword ($email, $newpassword)
  // {{{
  {
    throw new \Exception (dgettext ("domframework",
    "The password can't be overwrite for JWT users"), 405);
  }
  // }}}

  /** Remove the information from the session
    */
  public function logout ()
  // {{{
  {
    if (! isset ($_SERVER["HTTP_AUTHENTICATION"]))
      throw new \Exception (dgettext ("domframework",
      "No Authentication available"), 401);
    if (substr ($_SERVER["HTTP_AUTHENTICATION"], 0, 7) !== "Bearer ")
      throw new \Exception (dgettext ("domframework",
      "No Bearer Authentication available"), 401);
    $token = substr ($_SERVER["HTTP_AUTHENTICATION"], 7);
    $jwt = new Jwt ();
    $uuid = $jwt->decode ($token, $this->serverKey, $this->allowedAlg,
      $this->cipherKey);
    $cachefile = new Cachefile ();
    $cachefile->directory = $this->cacheDir;
    $payload = $cachefile->read ((string)$uuid);
    if (empty ($uuid) || empty ($payload) || ! key_exists ("email", $payload))
      throw new \Exception (dgettext ("domframework",
      "Can not found the token : no logout"), 403);
    $cachefile->delete ($uuid);
    return true;
  }
  // }}}
}