SteamWar/WebsiteBackend/src/de/steamwar/routes/Auth.kt

/*
 *   This file is a part of the SteamWar software.
 *
 *   Copyright (C) 2024 SteamWar.de-Serverteam
 *
 *   This program is free software: you can redistribute it and/or modify
 *   it under the terms of the GNU Affero General Public License as published by
 *   the Free Software Foundation, either version 3 of the License, or
 *   (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 *   GNU Affero General Public License for more details.
 *
 *   You should have received a copy of the GNU Affero General Public License
 *   along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

package de.steamwar.routes

import de.steamwar.ResponseError
import de.steamwar.plugins.SWAuthPrincipal
import de.steamwar.plugins.SWPermissionCheck
import de.steamwar.sql.SteamwarUser
import de.steamwar.sql.Token
import io.ktor.http.*
import io.ktor.server.application.*
import io.ktor.server.auth.*
import io.ktor.server.request.*
import io.ktor.server.response.*
import io.ktor.server.routing.*
import kotlinx.serialization.Serializable
import java.time.format.DateTimeFormatter
import java.time.LocalDateTime

@Serializable
data class AuthLoginRequest(val username: String, val password: String)

@Serializable
data class AuthTokenResponse(val token: String)

@Serializable
data class ResponseToken(val id: Int, val name: String, val created: String) {
    constructor(token: Token) : this(token.id, token.name, token.created.toLocalDateTime().toString())
}

@Serializable
data class CreateTokenRequest(val name: String, val password: String)

fun Route.configureAuthRoutes() {
    route("/auth") {
        post("/login") {
            if (call.principal<SWAuthPrincipal>() != null) {
                call.respond(HttpStatusCode.Forbidden, ResponseError("Already logged in", "already_logged_in"))
                return@post
            }

            val request = call.receive<AuthLoginRequest>()

            val user = SteamwarUser.get(request.username)

            if (user == null) {
                call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
                return@post
            }

            if (!user.verifyPassword(request.password)) {
                call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
                return@post
            }

            val code = Token.createToken("Website: ${DateTimeFormatter.ISO_LOCAL_DATE_TIME.format(LocalDateTime.now())}", user)
            call.respond(AuthTokenResponse(code))
        }
        route("/tokens") {
            install(SWPermissionCheck) {
                mustAuth = true
            }

            get {
                val auth = call.principal<SWAuthPrincipal>()

                if(auth == null) {
                    call.respond(HttpStatusCode.InternalServerError)
                    return@get
                }

                call.respond(Token.listUser(auth.user).map { ResponseToken(it) })
            }

            post {
                val auth = call.principal<SWAuthPrincipal>()

                if(auth == null) {
                    call.respond(HttpStatusCode.InternalServerError)
                    return@post
                }

                val request = call.receive<CreateTokenRequest>()

                if(request.name.length > 32) {
                    call.respond(HttpStatusCode.BadRequest, ResponseError("Name too long", "name_too_long"))
                    return@post
                }

                if(request.name.length < 3) {
                    call.respond(HttpStatusCode.BadRequest, ResponseError("Name too short", "name_too_short"))
                    return@post
                }

                if(!auth.user.verifyPassword(request.password)) {
                    call.respond(HttpStatusCode.BadRequest, ResponseError("Invalid password", "invalid_password"))
                    return@post
                }

                val token = Token.createToken(request.name, auth.user)

                call.respond(AuthTokenResponse(token))
            }

            route("/{id}") {
                delete {
                    val auth = call.principal<SWAuthPrincipal>()

                    if(auth == null) {
                        call.respond(HttpStatusCode.InternalServerError)
                        return@delete
                    }

                    val id = call.parameters["id"]?.toIntOrNull()

                    if(id == null) {
                        call.respond(HttpStatusCode.BadRequest)
                        return@delete
                    }

                    val token = Token.get(id)

                    if(token == null) {
                        call.respond(HttpStatusCode.NotFound)
                        return@delete
                    }

                    if(token.owner != auth.user) {
                        call.respond(HttpStatusCode.Forbidden)
                        return@delete
                    }

                    token.delete()
                    call.respond(HttpStatusCode.OK)
                }
            }

            post("/logout") {
                val auth = call.principal<SWAuthPrincipal>()

                if(auth == null) {
                    call.respond(HttpStatusCode.InternalServerError)
                    return@post
                }

                auth.token.delete()
                call.respond(HttpStatusCode.OK)
            }
        }
    }
}