package WSL::AuthCookie;

use strict;
use warnings;

use Carp qw(carp confess);
#use CGI;
use Data::Dumper;
use Net::LDAP;
use WSL::Proxy;
use Digest::MD5 qw(md5_hex);
use Apache2::RequestRec;
#use Apache2::Const qw(:common HTTP_FORBIDDEN);

use base "Apache2::AuthCookie";

my $cycle = 300;
my $secret = "STRbjLab";

sub authen_cred
{
    my ($this, $r, @creds) = @_;

    carp Dumper(@creds);
    if ($this->is_authenticated($r, @creds)
        && $this->is_authorized($r, @creds))
    {
        return $this->make_ticket($r, $creds[0]);
    }

    return;
}

sub authen_ses_key
{
    my ($this, $r, $key) = @_;

    my $user = $this->check_ticket($r, $key);
    return $user if $user;

    return;
}

# Session summary -- $secret:$username:$expire
# Session signatur -- md5_hex(Session summary)
# Session key -- join ":", $user, $expire, $signature
sub make_ticket
{
    my ($this, $r, $user) = @_;
    my $expires = time() + $cycle;
    my $signature = md5_hex("$secret:$user:$expires");
    my $key = join(":", $user, $expires, $signature);
    return $key;
}

sub check_ticket
{
    my ($this, $r, $key) = @_;
    my ($user, $expires, $signature) = split(":", $key);
    my $hash = md5_hex("$secret:$user:$expires");
    return undef if $signature ne $hash
                    or $expires < time();

    return $user;
}