package twitch

import (
	"bytes"
	"crypto/hmac"
	"crypto/rand"
	"crypto/sha256"
	"encoding/hex"
	"errors"
	"fmt"
	"io"
	"net/http"
	"sync"
)

// ErrVerificationFailed is the error returned when a webhook request does not
// verify correctly.
var ErrVerificationFailed = errors.New("Twitch webhook verification failed") //lint:ignore ST1005 Twitch is a proper noun

// Receive verifies a Twitch webhook request against the given secret
// and appends the request body to b.
// The maximum allowed request length is 1 MB.
func Receive(b, secret []byte, req *http.Request) ([]byte, error) {
	r := io.LimitReader(req.Body, 1<<20)
	w := bytes.NewBuffer(b)
	if _, err := io.Copy(w, r); err != nil {
		return nil, err
	}
	b = w.Bytes()

	h := hmac.New(sha256.New, secret)
	io.WriteString(h, req.Header.Get("Twitch-Eventsub-Message-Id"))
	io.WriteString(h, req.Header.Get("Twitch-Eventsub-Message-Timestamp"))
	h.Write(b)
	want := make([]byte, 0, len("sha256=")+sha256.Size*2)
	want = append(want, "sha256="...)
	sum := h.Sum(make([]byte, 0, sha256.Size))
	want = hex.AppendEncode(want, sum)

	got := req.Header.Get("Twitch-Eventsub-Message-Signature")
	if !hmac.Equal(want, []byte(got)) {
		fmt.Printf("req message id: %q\n", req.Header.Get("Twitch-Eventsub-Message-Id"))
		fmt.Printf("req timestamp: %q\n", req.Header.Get("Twitch-Eventsub-Message-Timestamp"))
		fmt.Printf("req body: %q\n", b)
		return nil, fmt.Errorf("%w: computed %q, header has %q", ErrVerificationFailed, want, got)
	}
	return b, nil
}

// Secret returns a process-wide secret for webhook subscriptions.
var Secret = sync.OnceValue(func() []byte {
	b := make([]byte, 32)
	rand.Read(b)
	return hex.AppendEncode(make([]byte, 0, 64), b)
})