package subsonic

import (
	"crypto/md5"
	"encoding/hex"
	"fmt"
	"net/http"
	"strings"
)

func verifyAgainstPassword(userPassword, passwordParam string) bool {
	p := passwordParam
	if strings.HasPrefix(passwordParam, "enc:") {
		b, err := hex.DecodeString(passwordParam)
		if err != nil {
			return false
		}
		p = string(b)
	}

	return userPassword == p
}

func verifyAgainstToken(password, token, salt string) bool {
	hash := md5.Sum([]byte(password + salt))
	return hex.EncodeToString(hash[:]) == token
}

func VerifyUser(r *http.Request, username, password string) error {
	u := r.URL.Query().Get("u")
	if u == "" {
		return fmt.Errorf("username parameter missing")
	}

	p := r.URL.Query().Get("p")
	if p != "" {
		ok := verifyAgainstPassword(password, p)
		if !ok {
			return fmt.Errorf("passwords don't match")
		}
		return nil
	}

	t := r.URL.Query().Get("t")
	s := r.URL.Query().Get("s")
	if !verifyAgainstToken(password, t, s) {
		return fmt.Errorf("passwords don't match")
	}

	return nil
}