#!/bin/bash

# OAuth 2.1 Test Script
# This script demonstrates how to test OAuth 2.1 flows

BASE_URL="http://localhost:9000"
CLIENT_ID="public-client"
CONFIDENTIAL_CLIENT_ID="confidential-client"
CONFIDENTIAL_CLIENT_SECRET="secret"
REDIRECT_URI="http://127.0.0.1:8080/authorized"

echo "================================"
echo "OAuth 2.1 Authorization Server"
echo "================================"
echo ""

# 1. Test Well-Known Configuration
echo "1. Fetching Well-Known Configuration..."
curl -s "$BASE_URL/.well-known/oauth-authorization-server" | jq '.' || echo "Server not running or jq not installed"
echo ""

# 2. Generate PKCE Challenge
echo "2. Generating PKCE Challenge..."
CODE_VERIFIER=$(openssl rand -base64 32 | tr -d '+/' | tr '=' '_' | cut -c1-43)
CODE_CHALLENGE=$(echo -n "$CODE_VERIFIER" | openssl dgst -binary -sha256 | openssl base64 | tr -d '+/' | tr '=' '_')

echo "   Code Verifier: $CODE_VERIFIER"
echo "   Code Challenge: $CODE_CHALLENGE"
echo ""

# 3. Authorization Request
echo "3. Authorization Request (Open in browser):"
AUTH_URL="$BASE_URL/oauth2/authorize?response_type=code&client_id=$CLIENT_ID&redirect_uri=$REDIRECT_URI&scope=openid%20profile%20email%20read%20write&code_challenge=$CODE_CHALLENGE&code_challenge_method=S256&state=xyz123"
echo "   $AUTH_URL"
echo ""
echo "   Login with: user / password"
echo "   After approval, you'll be redirected to:"
echo "   $REDIRECT_URI?code=AUTHORIZATION_CODE&state=xyz123"
echo ""

# 4. Prompt for Authorization Code
read -p "4. Enter the authorization code from redirect: " AUTH_CODE
echo ""

# 5. Exchange Authorization Code for Tokens
if [ -n "$AUTH_CODE" ]; then
    echo "5. Exchanging authorization code for tokens..."
    TOKEN_RESPONSE=$(curl -s -X POST "$BASE_URL/oauth2/token" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -d "grant_type=authorization_code" \
        -d "code=$AUTH_CODE" \
        -d "redirect_uri=$REDIRECT_URI" \
        -d "client_id=$CLIENT_ID" \
        -d "code_verifier=$CODE_VERIFIER")
    
    echo "$TOKEN_RESPONSE" | jq '.' || echo "$TOKEN_RESPONSE"
    
    ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
    REFRESH_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.refresh_token')
    echo ""
    
    # 6. Test UserInfo Endpoint
    if [ "$ACCESS_TOKEN" != "null" ] && [ -n "$ACCESS_TOKEN" ]; then
        echo "6. Fetching UserInfo..."
        curl -s -H "Authorization: Bearer $ACCESS_TOKEN" "$BASE_URL/userinfo" | jq '.' || echo "Failed to fetch userinfo"
        echo ""
        
        # 7. Test Refresh Token
        if [ "$REFRESH_TOKEN" != "null" ] && [ -n "$REFRESH_TOKEN" ]; then
            echo "7. Refreshing access token..."
            REFRESH_RESPONSE=$(curl -s -X POST "$BASE_URL/oauth2/token" \
                -H "Content-Type: application/x-www-form-urlencoded" \
                -d "grant_type=refresh_token" \
                -d "refresh_token=$REFRESH_TOKEN" \
                -d "client_id=$CLIENT_ID")
            
            echo "$REFRESH_RESPONSE" | jq '.' || echo "$REFRESH_RESPONSE"
            echo ""
        fi
    fi
fi

# 8. Test Client Credentials Flow
echo "8. Testing Client Credentials Flow..."
CLIENT_CREDS_RESPONSE=$(curl -s -X POST "$BASE_URL/oauth2/token" \
    -u "$CONFIDENTIAL_CLIENT_ID:$CONFIDENTIAL_CLIENT_SECRET" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "grant_type=client_credentials" \
    -d "scope=read write")

echo "$CLIENT_CREDS_RESPONSE" | jq '.' || echo "$CLIENT_CREDS_RESPONSE"
echo ""

echo "================================"
echo "Testing Complete!"
echo "================================"