epik/auth/

mod.rs

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use std::fs;
use std::path::PathBuf;

use crate::config::Config;
use crate::{Error, Result};

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuthToken {
    pub access_token: String,
    pub refresh_token: String,
    pub expires_at: DateTime<Utc>,
    pub account_id: String,
}

impl AuthToken {
    pub fn is_expired(&self) -> bool {
        Utc::now() >= self.expires_at
    }

    pub fn save(&self) -> Result<()> {
        // Use OS keychain/credential manager for secure storage
        let entry = keyring::Entry::new("epik", "auth_token")
            .map_err(|e| Error::Auth(format!("Failed to access keyring: {}", e)))?;

        let contents = serde_json::to_string(self)?;
        entry
            .set_password(&contents)
            .map_err(|e| Error::Auth(format!("Failed to save to keyring: {}", e)))?;

        // Cleanup old insecure file if it exists
        // We do this to ensure we don't leave plain text credentials lying around
        let auth_path = Self::auth_path()?;
        if auth_path.exists() {
            let _ = fs::remove_file(auth_path);
        }

        Ok(())
    }

    pub fn load() -> Result<Option<Self>> {
        // Try loading from keyring first
        let entry = keyring::Entry::new("epik", "auth_token");

        match entry {
            Ok(e) => {
                match e.get_password() {
                    Ok(contents) => {
                        let token: AuthToken = serde_json::from_str(&contents)?;
                        return Ok(Some(token));
                    }
                    Err(_) => {
                        // Keyring might be empty or error, fallthrough to legacy file check
                    }
                }
            }
            Err(_) => {
                // Keyring access failed, fallthrough to legacy file check
            }
        }

        // Handle migration from old token formats (plain JSON file)
        let auth_path = Self::auth_path()?;

        if !auth_path.exists() {
            return Ok(None);
        }

        let contents = fs::read_to_string(&auth_path)?;
        let token: AuthToken = serde_json::from_str(&contents)?;

        // Automatically migrate to keyring
        if let Err(e) = token.save() {
            // If save fails, we log it but don't crash, we still have the token in memory
            // Just warn user via standard error or log if available (log used elsewhere)
            // We can't easily log here without importing log, but returning Ok(Some) is main priority.
            eprintln!("Warning: Failed to migrate token to keyring: {}", e);
        }

        Ok(Some(token))
    }

    pub fn delete() -> Result<()> {
        // Delete from keyring
        let entry = keyring::Entry::new("epik", "auth_token");
        if let Ok(e) = entry {
            let _ = e.delete_password();
        }

        // Delete from legacy file just in case
        let auth_path = Self::auth_path()?;
        if auth_path.exists() {
            fs::remove_file(&auth_path)?;
        }

        Ok(())
    }

    fn auth_path() -> Result<PathBuf> {
        let data_dir = Config::data_dir()?;
        Ok(data_dir.join("auth.json"))
    }
}

#[derive(Clone)]
pub struct AuthManager {
    token: Option<AuthToken>,
}

impl AuthManager {
    pub fn new() -> Result<Self> {
        let token = AuthToken::load()?;
        Ok(Self { token })
    }

    pub fn is_authenticated(&self) -> bool {
        if let Some(token) = &self.token {
            !token.is_expired()
        } else {
            false
        }
    }

    pub fn get_token(&self) -> Result<&AuthToken> {
        match &self.token {
            Some(token) if !token.is_expired() => Ok(token),
            _ => Err(Error::NotAuthenticated),
        }
    }

    pub fn get_stored_token(&self) -> Option<&AuthToken> {
        self.token.as_ref()
    }

    // Check if token will expire soon (within 5 minutes)
    pub fn token_needs_refresh(&self) -> bool {
        if let Some(token) = &self.token {
            let now = chrono::Utc::now();
            let time_until_expiry = token.expires_at.signed_duration_since(now);
            time_until_expiry.num_minutes() < 5
        } else {
            false
        }
    }

    pub fn get_refresh_token(&self) -> Option<String> {
        self.token.as_ref().map(|t| t.refresh_token.clone())
    }

    pub fn set_token(&mut self, token: AuthToken) -> Result<()> {
        token.save()?;
        self.token = Some(token);
        Ok(())
    }

    pub fn logout(&mut self) -> Result<()> {
        AuthToken::delete()?;
        self.token = None;
        Ok(())
    }
}

impl Default for AuthManager {
    fn default() -> Self {
        Self::new().unwrap_or(Self { token: None })
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_auth_manager_not_authenticated_by_default() {
        let manager = AuthManager { token: None };
        assert!(!manager.is_authenticated());
    }

    #[test]
    fn test_auth_token_expiry() {
        let expired_token = AuthToken {
            access_token: "test".to_string(),
            refresh_token: "test".to_string(),
            expires_at: Utc::now() - chrono::Duration::hours(1),
            account_id: "test".to_string(),
        };
        assert!(expired_token.is_expired());

        let valid_token = AuthToken {
            access_token: "test".to_string(),
            refresh_token: "test".to_string(),
            expires_at: Utc::now() + chrono::Duration::hours(1),
            account_id: "test".to_string(),
        };
        assert!(!valid_token.is_expired());
    }
}