#!/usr/bin/env bash
#
# auth-token.sh — Obtain and cache Authentik API token
#
# Usage: auth-token.sh [-f] [-q] [-a instance]
#
# Returns a valid Authentik API token. Checks in order:
#   1. Cached token at ~/.cache/mosaic/authentik-token-<instance> (if valid)
#   2. Pre-configured token from credentials.json (authentik.<instance>.token)
#   3. Fails with instructions to create a token in the admin UI
#
# Options:
#   -f            Force re-validation (ignore cached token)
#   -q            Quiet mode — only output the token
#   -a instance   Authentik instance name (e.g. usc, mosaic)
#   -h            Show this help
#
# Environment variables (or credentials.json):
#   AUTHENTIK_URL    — Authentik instance URL
#   AUTHENTIK_TOKEN  — Pre-configured API token (recommended)
set -euo pipefail

MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
source "$MOSAIC_HOME/tools/_lib/credentials.sh"

FORCE=false
QUIET=false
AK_INSTANCE=""

while getopts "fqa:h" opt; do
  case $opt in
    f) FORCE=true ;;
    q) QUIET=true ;;
    a) AK_INSTANCE="$OPTARG" ;;
    h) head -22 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
    *) echo "Usage: $0 [-f] [-q] [-a instance]" >&2; exit 1 ;;
  esac
done

if [[ -n "$AK_INSTANCE" ]]; then
  load_credentials "authentik-${AK_INSTANCE}"
else
  load_credentials authentik
fi

CACHE_DIR="$HOME/.cache/mosaic"
CACHE_FILE="$CACHE_DIR/authentik-token${AUTHENTIK_INSTANCE:+-$AUTHENTIK_INSTANCE}"

_validate_token() {
  local token="$1"
  local http_code
  http_code=$(curl -sk -o /dev/null -w "%{http_code}" \
    --connect-timeout 5 --max-time 10 \
    -H "Authorization: Bearer $token" \
    "${AUTHENTIK_URL}/api/v3/core/users/me/")
  [[ "$http_code" == "200" ]]
}

# 1. Check cached token
if [[ "$FORCE" == "false" ]] && [[ -f "$CACHE_FILE" ]]; then
  cached_token=$(cat "$CACHE_FILE")
  if [[ -n "$cached_token" ]] && _validate_token "$cached_token"; then
    [[ "$QUIET" == "false" ]] && echo "Using cached token (valid)" >&2
    echo "$cached_token"
    exit 0
  fi
  [[ "$QUIET" == "false" ]] && echo "Cached token invalid, checking credentials..." >&2
fi

# 2. Use pre-configured token from credentials.json
if [[ -n "${AUTHENTIK_TOKEN:-}" ]]; then
  if _validate_token "$AUTHENTIK_TOKEN"; then
    # Cache it for faster future access
    mkdir -p "$CACHE_DIR"
    echo "$AUTHENTIK_TOKEN" > "$CACHE_FILE"
    chmod 600 "$CACHE_FILE"
    [[ "$QUIET" == "false" ]] && echo "Token validated and cached at $CACHE_FILE" >&2
    echo "$AUTHENTIK_TOKEN"
    exit 0
  else
    echo "Error: Pre-configured AUTHENTIK_TOKEN is invalid (API returned non-200)" >&2
    exit 1
  fi
fi

# 3. No token available
echo "Error: No Authentik API token configured" >&2
echo "" >&2
echo "To create one:" >&2
echo "  1. Log into Authentik admin: ${AUTHENTIK_URL}/if/admin/#/core/tokens" >&2
echo "  2. Click 'Create' → set identifier (e.g., 'mosaic-agent')" >&2
echo "  3. Select 'API Token' intent, uncheck 'Expiring'" >&2
echo "  4. Copy the key and add to credentials.json:" >&2
echo "     Add token to credentials.json under authentik.<instance>.token" >&2
exit 1