package authz

import (
	"encoding/base64"
	"encoding/json"
	"errors"
	"strings"
)

type CustomClaims struct {
	Name       string   `json:"name"`
	Nickname   string   `json:"nickname"`
	Email      string   `json:"email"`
	ProfileURL string   `json:"profile"`
	Picture    string   `json:"picture"`
	Groups     []string `json:"groups_direct"`
}

type IDToken struct {
	Issuer       string                 `json:"iss"`
	Subject      string                 `json:"sub"`
	Audience     any                    `json:"aud"`
	Expiry       any                    `json:"exp"`
	IssuedAt     any                    `json:"iat"`
	NotBefore    any                    `json:"nbf"`
	Nonce        string                 `json:"nonce"`
	AtHash       string                 `json:"at_hash"`
	ClaimNames   map[string]string      `json:"_claim_names"`
	ClaimSources map[string]ClaimSource `json:"_claim_sources"`

	CustomClaims
}

type ClaimSource struct {
	Endpoint    string `json:"endpoint"`
	AccessToken string `json:"access_token"`
}

func NewIDToken(raw string) (*IDToken, error) {
	sections := strings.SplitN(raw, ".", 3)
	if len(sections) != 3 {
		return nil, errors.New("Invalid token")
	}
	bytes, err := base64.RawURLEncoding.DecodeString(sections[1])
	if err != nil {
		return nil, err
	}

	token := &IDToken{}
	if err := json.Unmarshal(bytes, token); err != nil {
		return nil, err
	}
	return token, nil
}