<?php

declare(strict_types=1);

namespace PhpQml\Bridge;

use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;

/**
 * Validates the per-session bearer token shared between the Qt host
 * and the Symfony backend.
 *
 * In dev mode the token is read from `.env.local`; in bundled mode the
 * Qt host generates it per session and passes it to FrankenPHP via env.
 * See PLAN.md §3 (*Run modes*, *Edge cases — Per-session secret rotation*).
 */
final class SessionAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface
{
    public function __construct(
        #[\SensitiveParameter]
        private readonly string $expectedToken,
    ) {
    }

    public function supports(Request $request): bool
    {
        return $request->headers->has('Authorization');
    }

    public function authenticate(Request $request): Passport
    {
        $header = (string) $request->headers->get('Authorization', '');
        if (!str_starts_with($header, 'Bearer ')) {
            throw new AuthenticationException('Bearer token missing.');
        }

        $token = substr($header, 7);
        if ('' === $this->expectedToken || !hash_equals($this->expectedToken, $token)) {
            throw new AuthenticationException('Bearer token invalid.');
        }

        // Single-session model — there is one bridge "user", not per-end-user auth.
        return new SelfValidatingPassport(new UserBadge('bridge'));
    }

    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
    {
        return null;
    }

    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
    {
        return $this->problemJson($exception->getMessage());
    }

    /**
     * Entry point invoked when access is denied without a triggered authenticator
     * (e.g. an anonymous request to a protected route). Without this, Symfony
     * returns its default `WWW-Authenticate: Form` 302/401, which clients
     * speaking JSON would never expect — same shape as onAuthenticationFailure
     * keeps QML's RestClient error mapping consistent across both paths.
     */
    public function start(Request $request, ?AuthenticationException $authException = null): Response
    {
        return $this->problemJson($authException?->getMessage() ?? 'Bearer token required.');
    }

    private function problemJson(string $detail): JsonResponse
    {
        return new JsonResponse(
            [
                'type'   => 'about:blank',
                'title'  => 'Unauthorized',
                'status' => Response::HTTP_UNAUTHORIZED,
                'detail' => $detail,
            ],
            Response::HTTP_UNAUTHORIZED,
            ['Content-Type' => 'application/problem+json'],
        );
    }
}