// @flow
import JWT from "jsonwebtoken";
import subMinutes from "date-fns/sub_minutes";
import { AuthenticationError } from "../errors";
import { User } from "../models";

function getJWTPayload(token) {
  let payload;
  try {
    payload = JWT.decode(token);
  } catch (err) {
    throw new AuthenticationError("Unable to decode JWT token");
  }

  if (!payload) {
    throw new AuthenticationError("Invalid token");
  }
  return payload;
}

export async function getUserForJWT(token: string) {
  const payload = getJWTPayload(token);
  const user = await User.findByPk(payload.id);

  try {
    JWT.verify(token, user.jwtSecret);
  } catch (err) {
    throw new AuthenticationError("Invalid token");
  }

  return user;
}

export async function getUserForEmailSigninToken(token: string) {
  const payload = getJWTPayload(token);

  // check the token is within it's expiration time
  if (payload.createdAt) {
    if (new Date(payload.createdAt) < subMinutes(new Date(), 10)) {
      throw new AuthenticationError("Expired token");
    }
  }

  const user = await User.findByPk(payload.id);

  // if user has signed in at all since the token was created then
  // it's no longer valid, they'll need a new one.
  if (user.lastSignedInAt > payload.createdAt) {
    throw new AuthenticationError("Token has already been used");
  }

  try {
    JWT.verify(token, user.jwtSecret);
  } catch (err) {
    throw new AuthenticationError("Invalid token");
  }

  return user;
}