package workspaceapps

import (
	"crypto/sha256"
	"encoding/hex"
	"net/http"

	"github.com/coder/coder/v2/coderd/httpmw"
	"github.com/coder/coder/v2/codersdk"
)

type AppCookies struct {
	PathAppSessionToken      string
	SubdomainAppSessionToken string
	SignedAppToken           string
}

// NewAppCookies returns the cookie names for the app session token for the
// given hostname. The subdomain cookie is unique per workspace proxy and is
// based on a hash of the workspace proxy subdomain hostname. See
// SubdomainAppSessionTokenCookie for more details.
func NewAppCookies(hostname string) AppCookies {
	return AppCookies{
		PathAppSessionToken:      codersdk.PathAppSessionTokenCookie,
		SubdomainAppSessionToken: SubdomainAppSessionTokenCookie(hostname),
		SignedAppToken:           codersdk.SignedAppTokenCookie,
	}
}

// CookieNameForAccessMethod returns the cookie name for the long-lived session
// token for the given access method.
func (c AppCookies) CookieNameForAccessMethod(accessMethod AccessMethod) string {
	if accessMethod == AccessMethodSubdomain {
		return c.SubdomainAppSessionToken
	}
	// Path-based and terminal apps are on the same domain:
	return c.PathAppSessionToken
}

// SubdomainAppSessionTokenCookie returns the cookie name for the subdomain app
// session token. This is unique per workspace proxy and is based on a hash of
// the workspace proxy subdomain hostname.
//
// The reason the cookie needs to be unique per workspace proxy is to avoid
// cookies from one proxy (e.g. the primary) being sent on requests to a
// different proxy underneath the wildcard.
//
// E.g. `*.dev.coder.com` and `*.sydney.dev.coder.com`
//
// If you have an expired cookie on the primary proxy (valid for
// `*.dev.coder.com`), your browser will send it on all requests to the Sydney
// proxy as it's underneath the wildcard.
//
// By using a unique cookie name per workspace proxy, we can avoid this issue.
func SubdomainAppSessionTokenCookie(hostname string) string {
	hash := sha256.Sum256([]byte(hostname))
	// 16 bytes of uniqueness is probably enough.
	str := hex.EncodeToString(hash[:16])
	return codersdk.SubdomainAppSessionTokenCookie + "_" + str
}

// AppConnectSessionTokenFromRequest returns the session token from the request
// if it exists. The access method is used to determine which cookie name to
// use.
//
// We use different cookie names for path apps and for subdomain apps to avoid
// both being set and sent to the server at the same time and the server using
// the wrong value.
//
// We use different cookie names for:
// - path apps: coder_path_app_session_token
// - subdomain apps: coder_subdomain_app_session_token_{unique_hash}
//
// We prefer the access-method-specific cookie first, then fall back to standard
// Coder token extraction (query parameters, Coder-Session-Token header, etc.).
func (c AppCookies) TokenFromRequest(r *http.Request, accessMethod AccessMethod) string {
	// Prefer the access-method-specific cookie first.
	//
	// Workspace app requests commonly include an `Authorization` header intended
	// for the upstream app (e.g. API calls). `httpmw.APITokenFromRequest` supports
	// RFC 6750 bearer tokens, so if we consult it first we'd incorrectly treat
	// that upstream header as a Coder session token and ignore the app session
	// cookie, breaking token renewal for subdomain apps.
	cookie, err := r.Cookie(c.CookieNameForAccessMethod(accessMethod))
	if err == nil && cookie.Value != "" {
		return cookie.Value
	}

	// Fall back to standard Coder token extraction (session cookie, query param,
	// Coder-Session-Token header, and then Authorization: Bearer).
	token := httpmw.APITokenFromRequest(r)
	if token != "" {
		return token
	}

	return ""
}