"use strict";
// The MIT License (MIT)
//
// Copyright (c) 2017 Firebase
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
// SOFTWARE.
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
    return new (P || (P = Promise))(function (resolve, reject) {
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
        function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
        step((generator = generator.apply(thisArg, _arguments || [])).next());
    });
};
Object.defineProperty(exports, "__esModule", { value: true });
const _ = require("lodash");
const cors = require("cors");
const apps_1 = require("../apps");
const cloud_functions_1 = require("../cloud-functions");
/**
 * Handle HTTP requests.
 * @param handler A function that takes a request and response object,
 * same signature as an Express app.
 */
function onRequest(handler) {
    return _onRequestWithOpts(handler, {});
}
exports.onRequest = onRequest;
/**
 * Declares a callable method for clients to call using a Firebase SDK.
 * @param handler A method that takes a data and context and returns a value.
 */
function onCall(handler) {
    return _onCallWithOpts(handler, {});
}
exports.onCall = onCall;
/** @internal */
function _onRequestWithOpts(handler, opts) {
    // lets us add __trigger without altering handler:
    let cloudFunction = (req, res) => {
        handler(req, res);
    };
    cloudFunction.__trigger = _.assign(cloud_functions_1.optsToTrigger(opts), { httpsTrigger: {} });
    // TODO parse the opts
    return cloudFunction;
}
exports._onRequestWithOpts = _onRequestWithOpts;
/**
 * Standard error codes for different ways a request can fail, as defined by:
 * https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto
 *
 * This map is used primarily to convert from a client error code string to
 * to the HTTP format error code string, and make sure it's in the supported set.
 */
const errorCodeMap = {
    ok: 'OK',
    cancelled: 'CANCELLED',
    unknown: 'UNKNOWN',
    'invalid-argument': 'INVALID_ARGUMENT',
    'deadline-exceeded': 'DEADLINE_EXCEEDED',
    'not-found': 'NOT_FOUND',
    'already-exists': 'ALREADY_EXISTS',
    'permission-denied': 'PERMISSION_DENIED',
    unauthenticated: 'UNAUTHENTICATED',
    'resource-exhausted': 'RESOURCE_EXHAUSTED',
    'failed-precondition': 'FAILED_PRECONDITION',
    aborted: 'ABORTED',
    'out-of-range': 'OUT_OF_RANGE',
    unimplemented: 'UNIMPLEMENTED',
    internal: 'INTERNAL',
    unavailable: 'UNAVAILABLE',
    'data-loss': 'DATA_LOSS',
};
/**
 * An explicit error that can be thrown from a handler to send an error to the
 * client that called the function.
 */
class HttpsError extends Error {
    constructor(code, message, details) {
        super(message);
        // This is a workaround for a bug in TypeScript when extending Error:
        // tslint:disable-next-line
        // https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work
        Object.setPrototypeOf(this, HttpsError.prototype);
        if (!errorCodeMap[code]) {
            throw new Error('Unknown error status: ' + code);
        }
        this.code = code;
        this.details = details;
    }
    /**
     * @internal
     * A string representation of the Google error code for this error for HTTP.
     */
    get status() {
        return errorCodeMap[this.code];
    }
    /**
     * @internal
     * Returns the canonical http status code for the given error.
     */
    get httpStatus() {
        switch (this.code) {
            case 'ok':
                return 200;
            case 'cancelled':
                return 499;
            case 'unknown':
                return 500;
            case 'invalid-argument':
                return 400;
            case 'deadline-exceeded':
                return 504;
            case 'not-found':
                return 404;
            case 'already-exists':
                return 409;
            case 'permission-denied':
                return 403;
            case 'unauthenticated':
                return 401;
            case 'resource-exhausted':
                return 429;
            case 'failed-precondition':
                return 400;
            case 'aborted':
                return 409;
            case 'out-of-range':
                return 400;
            case 'unimplemented':
                return 501;
            case 'internal':
                return 500;
            case 'unavailable':
                return 503;
            case 'data-loss':
                return 500;
            // This should never happen as long as the type system is doing its job.
            default:
                throw 'Invalid error code: ' + this.code;
        }
    }
    /** @internal */
    toJSON() {
        const json = {
            status: this.status,
            message: this.message,
        };
        if (!_.isUndefined(this.details)) {
            json.details = this.details;
        }
        return json;
    }
}
exports.HttpsError = HttpsError;
// Returns true if req is a properly formatted callable request.
function isValidRequest(req) {
    // The body must not be empty.
    if (!req.body) {
        console.warn('Request is missing body.');
        return false;
    }
    // Make sure it's a POST.
    if (req.method !== 'POST') {
        console.warn('Request has invalid method.', req.method);
        return false;
    }
    // Check that the Content-Type is JSON.
    let contentType = (req.header('Content-Type') || '').toLowerCase();
    // If it has a charset, just ignore it for now.
    const semiColon = contentType.indexOf(';');
    if (semiColon >= 0) {
        contentType = contentType.substr(0, semiColon).trim();
    }
    if (contentType !== 'application/json') {
        console.warn('Request has incorrect Content-Type.', contentType);
        return false;
    }
    // The body must have data.
    if (_.isUndefined(req.body.data)) {
        console.warn('Request body is missing data.', req.body);
        return false;
    }
    // TODO(klimt): Allow only whitelisted http headers.
    // Verify that the body does not have any extra fields.
    const extras = _.omit(req.body, 'data');
    if (!_.isEmpty(extras)) {
        console.warn('Request body has extra fields.', extras);
        return false;
    }
    return true;
}
const LONG_TYPE = 'type.googleapis.com/google.protobuf.Int64Value';
const UNSIGNED_LONG_TYPE = 'type.googleapis.com/google.protobuf.UInt64Value';
/**
 * Encodes arbitrary data in our special format for JSON.
 * This is exposed only for testing.
 */
/** @internal */
function encode(data) {
    if (_.isNull(data) || _.isUndefined(data)) {
        return null;
    }
    // Oddly, _.isFinite(new Number(x)) always returns false, so unwrap Numbers.
    if (data instanceof Number) {
        data = data.valueOf();
    }
    if (_.isFinite(data)) {
        // Any number in JS is safe to put directly in JSON and parse as a double
        // without any loss of precision.
        return data;
    }
    if (_.isBoolean(data)) {
        return data;
    }
    if (_.isString(data)) {
        return data;
    }
    if (_.isArray(data)) {
        return _.map(data, encode);
    }
    if (_.isObject(data)) {
        // It's not safe to use _.forEach, because the object might be 'array-like'
        // if it has a key called 'length'. Note that this intentionally overrides
        // any toJSON method that an object may have.
        return _.mapValues(data, encode);
    }
    // If we got this far, the data is not encodable.
    console.error('Data cannot be encoded in JSON.', data);
    throw new Error('Data cannot be encoded in JSON: ' + data);
}
exports.encode = encode;
/**
 * Decodes our special format for JSON into native types.
 * This is exposed only for testing.
 */
/** @internal */
function decode(data) {
    if (data === null) {
        return data;
    }
    if (data['@type']) {
        switch (data['@type']) {
            case LONG_TYPE:
            // Fall through and handle this the same as unsigned.
            case UNSIGNED_LONG_TYPE: {
                // Technically, this could work return a valid number for malformed
                // data if there was a number followed by garbage. But it's just not
                // worth all the extra code to detect that case.
                const value = parseFloat(data.value);
                if (_.isNaN(value)) {
                    console.error('Data cannot be decoded from JSON.', data);
                    throw new Error('Data cannot be decoded from JSON: ' + data);
                }
                return value;
            }
            default: {
                console.error('Data cannot be decoded from JSON.', data);
                throw new Error('Data cannot be decoded from JSON: ' + data);
            }
        }
    }
    if (_.isArray(data)) {
        return _.map(data, decode);
    }
    if (_.isObject(data)) {
        // It's not safe to use _.forEach, because the object might be 'array-like'
        // if it has a key called 'length'.
        return _.mapValues(data, decode);
    }
    // Anything else is safe to return.
    return data;
}
exports.decode = decode;
const corsHandler = cors({ origin: true, methods: 'POST' });
/** @internal */
function _onCallWithOpts(handler, opts) {
    const func = (req, res) => __awaiter(this, void 0, void 0, function* () {
        try {
            if (!isValidRequest(req)) {
                console.error('Invalid request', req);
                throw new HttpsError('invalid-argument', 'Bad Request');
            }
            const context = { rawRequest: req };
            const authorization = req.header('Authorization');
            if (authorization) {
                const match = authorization.match(/^Bearer (.*)$/);
                if (!match) {
                    throw new HttpsError('unauthenticated', 'Unauthenticated');
                }
                const idToken = match[1];
                try {
                    const authToken = yield apps_1.apps()
                        .admin.auth()
                        .verifyIdToken(idToken);
                    context.auth = {
                        uid: authToken.uid,
                        token: authToken,
                    };
                }
                catch (e) {
                    throw new HttpsError('unauthenticated', 'Unauthenticated');
                }
            }
            const instanceId = req.header('Firebase-Instance-ID-Token');
            if (instanceId) {
                // Validating the token requires an http request, so we don't do it.
                // If the user wants to use it for something, it will be validated then.
                // Currently, the only real use case for this token is for sending
                // pushes with FCM. In that case, the FCM APIs will validate the token.
                context.instanceIdToken = req.header('Firebase-Instance-ID-Token');
            }
            const data = decode(req.body.data);
            let result = yield handler(data, context);
            // Encode the result as JSON to preserve types like Dates.
            result = encode(result);
            // If there was some result, encode it in the body.
            const responseBody = { result };
            res.status(200).send(responseBody);
        }
        catch (error) {
            if (!(error instanceof HttpsError)) {
                // This doesn't count as an 'explicit' error.
                console.error('Unhandled error', error);
                error = new HttpsError('internal', 'INTERNAL');
            }
            const status = error.httpStatus;
            const body = { error: error.toJSON() };
            res.status(status).send(body);
        }
    });
    // Wrap the function with a cors handler.
    const corsFunc = (req, res) => {
        return corsHandler(req, res, () => func(req, res));
    };
    corsFunc.__trigger = _.assign(cloud_functions_1.optsToTrigger(opts), {
        httpsTrigger: {},
        labels: { 'deployment-callable': 'true' },
    });
    corsFunc.run = handler;
    return corsFunc;
}
exports._onCallWithOpts = _onCallWithOpts;