// auth/middleware.go
package auth

import (
    "crypto/subtle"
    "net/http"
    "time"
)

type AuthMiddleware struct {
    username string
    password string
    sessions *SessionManager
}

func NewAuthMiddleware(username, password string, sessions *SessionManager) *AuthMiddleware {
    return &AuthMiddleware{
        username: username,
        password: password,
        sessions: sessions,
    }
}

func (a *AuthMiddleware) Login(w http.ResponseWriter, r *http.Request) {
    if r.Method == "GET" {
        a.serveLoginPage(w)
        return
    }
    
    if r.Method != "POST" {
        http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
        return
    }
    
    username := r.FormValue("username")
    password := r.FormValue("password")
    
    // 使用常量时间比较防止时序攻击
    usernameMatch := subtle.ConstantTimeCompare([]byte(username), []byte(a.username)) == 1
    passwordMatch := subtle.ConstantTimeCompare([]byte(password), []byte(a.password)) == 1
    
    if usernameMatch && passwordMatch {
        sessionID := a.sessions.Create(30 * time.Minute)
        
        http.SetCookie(w, &http.Cookie{
            Name:     "session_id",
            Value:    sessionID,
            Path:     "/",
            HttpOnly: true,
            Secure:   true,
            SameSite: http.SameSiteStrictMode,
            MaxAge:   1800,
        })
        
        http.Redirect(w, r, "/", http.StatusSeeOther)
        return
    }
    
    // 登录失败，延迟响应防止暴力破解
    time.Sleep(2 * time.Second)
    http.Redirect(w, r, "/login?error=1", http.StatusSeeOther)
}

func (a *AuthMiddleware) Logout(w http.ResponseWriter, r *http.Request) {
    cookie, err := r.Cookie("session_id")
    if err == nil {
        a.sessions.Delete(cookie.Value)
    }
    
    http.SetCookie(w, &http.Cookie{
        Name:     "session_id",
        Value:    "",
        Path:     "/",
        HttpOnly: true,
        Secure:   true,
        MaxAge:   -1,
    })
    
    http.Redirect(w, r, "/login", http.StatusSeeOther)
}

func (a *AuthMiddleware) Require(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        cookie, err := r.Cookie("session_id")
        if err != nil || !a.sessions.Valid(cookie.Value) {
            http.Redirect(w, r, "/login", http.StatusFound)
            return
        }
        next.ServeHTTP(w, r)
    })
}

func (a *AuthMiddleware) serveLoginPage(w http.ResponseWriter) {
    html := `<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>Login - Secure Site Proxy</title>
    <style>
        * { margin: 0; padding: 0; box-sizing: border-box; }
        body {
            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
            min-height: 100vh;
            display: flex;
            align-items: center;
            justify-content: center;
        }
        .login-container {
            background: white;
            padding: 40px;
            border-radius: 10px;
            box-shadow: 0 10px 40px rgba(0,0,0,0.2);
            width: 100%;
            max-width: 400px;
        }
        h1 {
            text-align: center;
            margin-bottom: 30px;
            color: #333;
        }
        .form-group {
            margin-bottom: 20px;
        }
        label {
            display: block;
            margin-bottom: 5px;
            color: #555;
            font-weight: 500;
        }
        input {
            width: 100%;
            padding: 12px;
            border: 2px solid #e0e0e0;
            border-radius: 5px;
            font-size: 14px;
            transition: border-color 0.3s;
        }
        input:focus {
            outline: none;
            border-color: #667eea;
        }
        button {
            width: 100%;
            padding: 12px;
            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
            color: white;
            border: none;
            border-radius: 5px;
            font-size: 16px;
            font-weight: 600;
            cursor: pointer;
            transition: transform 0.2s;
        }
        button:hover {
            transform: translateY(-2px);
        }
        .error {
            background: #fee;
            color: #c33;
            padding: 10px;
            border-radius: 5px;
            margin-bottom: 20px;
            text-align: center;
        }
    </style>
</head>
<body>
    <div class="login-container">
        <h1>🔒 Secure Login</h1>
        <form method="POST" action="/login">
            <div class="form-group">
                <label for="username">Username</label>
                <input type="text" id="username" name="username" required autofocus>
            </div>
            <div class="form-group">
                <label for="password">Password</label>
                <input type="password" id="password" name="password" required>
            </div>
            <button type="submit">Login</button>
        </form>
    </div>
</body>
</html>`
    w.Header().Set("Content-Type", "text/html; charset=utf-8")
    w.Write([]byte(html))
}