package hwsauth

import (
	"net/http"
	"reflect"

	"git.haelnorr.com/h/golib/jwt"
	"github.com/pkg/errors"
)

// Attempt to use a valid refresh token to generate a new token pair
func (auth *Authenticator[T, TX]) refreshAuthTokens(
	tx TX,
	w http.ResponseWriter,
	r *http.Request,
	rT *jwt.RefreshToken,
) (T, error) {
	model, err := auth.load(r.Context(), tx, rT.SUB)
	if err != nil {
		return getNil[T](), errors.Wrap(err, "auth.load")
	}
	if reflect.ValueOf(model).IsNil() {
		return getNil[T](), errors.New("no user matching JWT in database")
	}
	rememberMe := map[string]bool{
		"session": false,
		"exp":     true,
	}[rT.TTL]

	// Set fresh to true because new tokens coming from refresh request
	err = jwt.SetTokenCookies(w, r, auth.tokenGenerator, model.GetID(), false, rememberMe, auth.SSL)
	if err != nil {
		return getNil[T](), errors.Wrap(err, "jwt.SetTokenCookies")
	}
	// New tokens sent, revoke the old tokens
	err = rT.Revoke(jwt.DBTransaction(tx))
	if err != nil {
		return getNil[T](), errors.Wrap(err, "rT.Revoke")
	}
	// Return the authorized user
	return model, nil
}