package de.fhswf.in.inf.fit.aufgabe5;

import java.io.IOException;
import java.io.PrintWriter;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;

import javax.persistence.EntityManager;
import javax.persistence.EntityManagerFactory;
import javax.persistence.Persistence;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import de.fhswf.in.inf.fit.aufgabe5.model.Account;

/**
 * Servlet implementation class LoginServlet
 */
@WebServlet("/LoginServletWithJpa")
public class LoginServletWithJpa extends HttpServlet
{
   private static final long serialVersionUID = 1L;

   /**
    * @see HttpServlet#HttpServlet()
    */
   public LoginServletWithJpa()
   {
      super();
   }

   /**
    * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
    *      response)
    */
   protected void doGet(HttpServletRequest request,
         HttpServletResponse response) throws ServletException, IOException
   {
      response.sendRedirect("LoginFormWithJpa.jsp");
   }

   /**
    * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
    *      response)
    */
   protected void doPost(HttpServletRequest request,
         HttpServletResponse response) throws ServletException, IOException
   {
      String requestUsername = request.getParameter("username");
      String requestPassword = request.getParameter("password");

      if (requestUsername == null || requestPassword == null)
      {
         doGet(request, response);
      }

      EntityManagerFactory emf = Persistence.createEntityManagerFactory(
            getServletContext().getInitParameter("persistenceUnit"));
      EntityManager em = emf.createEntityManager();

      Account account = em.find(Account.class, requestUsername);

      PrintWriter pw = response.getWriter();

      pw.println("<!DOCTYPE html>");
      pw.println("<html>");
      pw.println("<head>");
      pw.println("<meta charset=\"utf-8\" />");
      pw.println("<title>Login Answer</title>");
      pw.println("</head>");
      pw.println("<body>");

      System.out.println(account.getPassword() + " == "
            + (createSaltedPasswordHash(requestPassword, account.getSalt())));

      // This is very insecure and can be exploited via timing attacks
      if (account != null && account.getPassword().equals(
            createSaltedPasswordHash(requestPassword, account.getSalt())))
      {
         pw.println("<h1>Success</h1>");
         request.getSession().setAttribute("loggedin", true);
      }
      else
      {
         pw.println("<h1>Failed</h1>");
         pw.println("<a href=\"LoginFormWithJpa.jsp\">Retry</a>");
      }

      pw.println("</body>");
      pw.println("</html>");

      emf.close();
   }

   /**
    * Generate a Base64 encoded SHA-1 hashed password that is salted.
    *
    * @param password
    *           The password to encode.
    * @param salt
    *           The salt for salting the password.
    * @return The salted and encoded password hash.
    */
   public static String createSaltedPasswordHash(String password, String salt)
   {
      if (password == null)
      {
         throw new IllegalArgumentException("Password can't be null");
      }

      if (salt == null)
      {
         throw new IllegalArgumentException("Salt can't be null");
      }

      try
      {
         MessageDigest md = MessageDigest.getInstance("SHA-1");
         md.update((password + salt).getBytes());
         return Base64.getEncoder().encodeToString(md.digest());
      }
      catch (NoSuchAlgorithmException e)
      {
         throw new IllegalStateException(
               "SHA-1 for some reason is not supported.", e);
      }
   }
}