require 'action_controller'

# :nodoc: adds authenticates_using_http_basic
class ActionController::Base
  # Keeps track of the currently authenticated user via the session. 
  #
  # Assumes the existence of a User model. A bare ActiveModel model will do the
  # trick. Model instances must implement id, and the model class must implement
  # find_by_id.
  def self.authenticates_using_http_basic(options = {})
    include Authpwn::HttpBasicControllerInstanceMethods
    before_filter :authenticate_using_http_basic, options   
  end
end

# :nodoc: namespace
module Authpwn

# Included in controllers that call authenticates_using_http_basic.
module HttpBasicControllerInstanceMethods
  include Authpwn::CurrentUser

  # Filter that implements authenticates_using_http_basic.
  #
  # If your ApplicationController contains authenticates_using_http_basic, you
  # can opt out in individual controllers using skip_before_filter.
  #
  #     skip_before_filter :authenticate_using_http_filter
  def authenticate_using_http_basic
    return if current_user
    authenticate_with_http_basic do |email, password|
      auth = User.authenticate_signin email, password
      self.current_user = auth unless auth.kind_of? Symbol
    end
  end
  private :authenticate_using_http_basic
  
  # Inform the user that their request is forbidden.
  #
  # If a user is logged on, this renders the session/forbidden view with a HTTP
  # 403 code.
  # 
  # If no user is logged in, a HTTP 403 code is returned, together with an
  # HTTP Authentication header causing the user-agent (browser) to initiate
  # http basic authentication.
  def bounce_to_http_basic()
    unless current_user
      request_http_basic_authentication
      return
    end

    respond_to do |format|
      format.html do
        render 'session/forbidden', status: :forbidden
      end
      format.json do
        render json: { error: "You're not allowed to access that" }
      end
    end
  end
end  # module Authpwn::HttpBasicControllerInstanceMethods

end  # namespace Authpwn