package de.fhswf.in.inf.fit.aufgabe6;

import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;

import javax.persistence.EntityManager;
import javax.persistence.EntityManagerFactory;
import javax.persistence.Persistence;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import de.fhswf.in.inf.fit.aufgabe5.model.Account;

/**
 * Servlet implementation class LoginServletWithJpaAndJsp
 */
@WebServlet("/LoginServletWithJpaAndJsp")
public class LoginServletWithJpaAndJsp extends HttpServlet
{
   private static final long serialVersionUID = 1L;

   /**
    * @see HttpServlet#HttpServlet()
    */
   public LoginServletWithJpaAndJsp()
   {
      super();
   }

   /**
    * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
    *      response)
    */
   protected void doGet(HttpServletRequest request,
         HttpServletResponse response) throws ServletException, IOException
   {
      response.sendRedirect("LoginFormWithJpaAndJsp.jsp");
   }

   /**
    * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
    *      response)
    */
   protected void doPost(HttpServletRequest request,
         HttpServletResponse response) throws ServletException, IOException
   {
      String requestUsername = request.getParameter("username");
      String requestPassword = request.getParameter("password");

      if (requestUsername == null || requestPassword == null)
      {
         doGet(request, response);
      }

      EntityManagerFactory emf = Persistence.createEntityManagerFactory(
            getServletContext().getInitParameter("persistenceUnit"));
      EntityManager em = emf.createEntityManager();

      Account account = em.find(Account.class, requestUsername);
      emf.close();

      // This is very insecure and can be exploited via timing attacks
      if (account != null && account.getPassword().equals(
            createSaltedPasswordHash(requestPassword, account.getSalt())))
      {
         request.getSession().setAttribute("username", account.getUsername());

         RequestDispatcher dispatcher = getServletContext()
               .getRequestDispatcher("/LoginSuccess.jsp");

         dispatcher.forward(request, response);
      }
      else
      {
         doGet(request, response);
      }
   }

   /**
    * Generate a Base64 encoded SHA-1 hashed password that is salted.
    *
    * @param password
    *           The password to encode.
    * @param salt
    *           The salt for salting the password.
    * @return The salted and encoded password hash.
    */
   public static String createSaltedPasswordHash(String password, String salt)
   {
      if (password == null)
      {
         throw new IllegalArgumentException("Password can't be null");
      }

      if (salt == null)
      {
         throw new IllegalArgumentException("Salt can't be null");
      }

      try
      {
         MessageDigest md = MessageDigest.getInstance("SHA-1");
         md.update((password + salt).getBytes());
         return Base64.getEncoder().encodeToString(md.digest());
      }
      catch (NoSuchAlgorithmException e)
      {
         throw new IllegalStateException(
               "SHA-1 for some reason is not supported.", e);
      }
   }

}