{-# LANGUAGE OverloadedStrings #-}

module Secure
  ( loggedAction
  , getUserFromToken
  ) where

import Web.Scotty

import Network.HTTP.Types.Status (forbidden403)

import Database.Persist (Entity, entityVal)

import Data.Text (Text)
import Data.Text.Lazy (fromStrict)

import Model.User (getUser)
import Model.SignIn (getSignIn)
import Model.Database
import Model.Message (getMessage)
import qualified Model.Message.Key as Key

import Control.Monad.IO.Class (liftIO)

import qualified LoginSession

loggedAction :: (Entity User -> ActionM ()) -> ActionM ()
loggedAction action = do
  maybeToken <- LoginSession.get
  case maybeToken of
    Just token -> do
      maybeUser <- liftIO . runDb . getUserFromToken $ token
      case maybeUser of
        Just user ->
          action user
        Nothing -> do
          status forbidden403
          html . fromStrict . getMessage $ Key.UnauthorizedSignIn
    Nothing -> do
      status forbidden403
      html . fromStrict . getMessage $ Key.Forbidden

getUserFromToken :: Text -> Persist (Maybe (Entity User))
getUserFromToken token = do
  mbSignIn <- fmap entityVal <$> getSignIn token
  case mbSignIn of
    Just signIn -> do
      getUser (signInEmail signIn)
    Nothing ->
      return Nothing