# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.Plugs.AdminSecretAuthenticationPlug do
  import Plug.Conn

  alias Pleroma.User
  alias Pleroma.Web.Plugs.OAuthScopesPlug
  alias Pleroma.Web.Plugs.RateLimiter

  def init(options) do
    options
  end

  def secret_token do
    case Pleroma.Config.get(:admin_token) do
      blank when blank in [nil, ""] -> nil
      token -> token
    end
  end

  def call(%{assigns: %{user: %User{}}} = conn, _), do: conn

  def call(conn, _) do
    if secret_token() do
      authenticate(conn)
    else
      conn
    end
  end

  def authenticate(%{params: %{"admin_token" => admin_token}} = conn) do
    if admin_token == secret_token() do
      assign_admin_user(conn)
    else
      handle_bad_token(conn)
    end
  end

  def authenticate(conn) do
    token = secret_token()

    case get_req_header(conn, "x-admin-token") do
      blank when blank in [[], [""]] -> conn
      [^token] -> assign_admin_user(conn)
      _ -> handle_bad_token(conn)
    end
  end

  defp assign_admin_user(conn) do
    conn
    |> assign(:user, %User{is_admin: true})
    |> OAuthScopesPlug.skip_plug()
  end

  defp handle_bad_token(conn) do
    RateLimiter.call(conn, name: :authentication)
  end
end