package main

import (
	"time"

	"github.com/kataras/iris/v12"
	"github.com/kataras/iris/v12/middleware/jwt"
)

var (
	sigKey = []byte("signature_hmac_secret_shared_key")
	encKey = []byte("GCM_AES_256_secret_shared_key_32")
)

type fooClaims struct {
	Foo string `json:"foo"`
}

/*
In this example you will learn the essentials
of the Iris builtin JWT middleware based on the github.com/kataras/jwt package.
*/

func main() {
	app := iris.New()

	signer := jwt.NewSigner(jwt.HS256, sigKey, 10*time.Minute)
	// Enable payload encryption with:
	// signer.WithGCM(encKey, nil)
	app.Get("/", generateToken(signer))

	verifier := jwt.NewVerifier(jwt.HS256, sigKey)
	// Enable server-side token block feature (even before its expiration time):
	verifier.WithDefaultBlocklist()
	// Enable payload decryption with:
	// verifier.WithGCM(encKey, nil)
	verifyMiddleware := verifier.Verify(func() interface{} {
		return new(fooClaims)
	})

	protectedAPI := app.Party("/protected")
	// Register the verify middleware to allow access only to authorized clients.
	protectedAPI.Use(verifyMiddleware)
	// ^ or UseRouter(verifyMiddleware) to disallow unauthorized http error handlers too.

	protectedAPI.Get("/", protected)
	// Invalidate the token through server-side, even if it's not expired yet.
	protectedAPI.Get("/logout", logout)

	// http://localhost:8080
	// http://localhost:8080/protected?token=$token (or Authorization: Bearer $token)
	// http://localhost:8080/protected/logout?token=$token
	// http://localhost:8080/protected?token=$token (401)
	app.Listen(":8080")
}

func generateToken(signer *jwt.Signer) iris.Handler {
	return func(ctx iris.Context) {
		claims := fooClaims{Foo: "bar"}

		token, err := signer.Sign(claims)
		if err != nil {
			ctx.StopWithStatus(iris.StatusInternalServerError)
			return
		}

		ctx.Write(token)
	}
}

func protected(ctx iris.Context) {
	// Get the verified and decoded claims.
	claims := jwt.Get(ctx).(*fooClaims)

	// Optionally, get token information if you want to work with them.
	// Just an example on how you can retrieve all the standard claims (set by signer's max age, "exp").
	standardClaims := jwt.GetVerifiedToken(ctx).StandardClaims
	expiresAtString := standardClaims.ExpiresAt().Format(ctx.Application().ConfigurationReadOnly().GetTimeFormat())
	timeLeft := standardClaims.Timeleft()

	ctx.Writef("foo=%s\nexpires at: %s\ntime left: %s\n", claims.Foo, expiresAtString, timeLeft)
}

func logout(ctx iris.Context) {
	err := ctx.Logout()
	if err != nil {
		ctx.WriteString(err.Error())
	} else {
		ctx.Writef("token invalidated, a new token is required to access the protected API")
	}
}