GeoShare/bin/routes/auth_routes.dart

import 'package:bcrypt/bcrypt.dart';
import 'package:dotenv/dotenv.dart';
import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
import 'package:shelf/shelf.dart';
import 'package:shelf_router/shelf_router.dart';
import '../database/database_provider.dart';
import '../middleware/auth_middleware.dart';
import '../middleware/request_logger.dart';
import 'dart:convert';
import 'dart:io';

class AuthRoutes {
  final DatabaseProvider database;
  final Map<String, DateTime> _lastRequest = {};

  AuthRoutes(this.database);

  Router get routes {
    final router = Router();
    router.post('/login', _login);
    router.post('/reg', _register);
    router.get('/watch', AuthMiddleware(_watch).call);
    router.get('/api_info', _apiInfo);
    return router;
  }

  String _getClientIp(Request request) {
    final forwarded = request.headers['x-forwarded-for'];
    if (forwarded != null) {
      return forwarded.split(',').first.trim();
    }
    final xRealIp = request.headers['x-real-ip'];
    if (xRealIp != null) {
      return xRealIp;
    }
    return '127.0.0.1';
  }

  Future<Response?> _rateLimitCheck(Request request, String key) async {
    final ip = _getClientIp(request);
    final rateKey = '$key:$ip';
    final now = DateTime.now();
    final lastRequest = _lastRequest[rateKey];
    if (lastRequest != null && now.difference(lastRequest).inSeconds < 10) {
      return Response(429, body: jsonEncode({'error': 'Too many requests. Please wait 10 seconds.'}), headers: {'Content-Type': 'application/json'});
    }
    _lastRequest[rateKey] = now;
    return null;
  }

  Future<Response> _login(Request request) async {
    final rateLimit = await _rateLimitCheck(request, 'login');
    if (rateLimit != null) return rateLimit;

    final body = await request.readAsString();
    final data = jsonDecode(body);

    final login = data['login'];
    final password = data['password'];

    final user = await database.findUserByLogin(login);

    final stopwatch = Stopwatch()..start();
    if (user == null || !BCrypt.checkpw(password, user.pwdHash)) {
      await database.createLog(login, 'Failed login attempt');
      stopwatch.stop();
      final response = Response(401, body: jsonEncode({'error': 'Invalid credentials'}), headers: {'Content-Type': 'application/json'});
      logRequest(method: 'POST', url: '/login', status: 401, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
      return response;
    }

    // Генерация JWT токена
    final dotenv = DotEnv();
    final secret = dotenv['JWT_SECRET'] ?? '';
    final jwt = JWT(
      {'user_id': user.id, 'login': user.login},
      issuer: 'family_safety_tracker'
    );
    final token = jwt.sign(SecretKey(secret));

    await database.createLog(login, 'Successful login');
    stopwatch.stop();
    final response = Response(200, body: jsonEncode({'token': token}), headers: {'Content-Type': 'application/json'});
    logRequest(method: 'POST', url: '/login', status: 200, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
    return response;
  }

  Future<Response> _register(Request request) async {
    final rateLimit = await _rateLimitCheck(request, 'reg');
    if (rateLimit != null) return rateLimit;

    final stopwatch = Stopwatch()..start();
    final body = await request.readAsString();
    logRequest(method: 'POST', url: '/reg', status: 444, duration: stopwatch.elapsed, body: body);
    final data = jsonDecode(body);

    final login = data['login'];
    final password = data['password'];
    final secretKey = data['secret_key'];

    if (login is! String || login.length <= 4) {
      stopwatch.stop();
      final response = Response(400, body: jsonEncode({'error': 'Login must be more than 4 characters'}), headers: {'Content-Type': 'application/json'});
      logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
      return response;
    }

    if (password is! String || password.length <= 8) {
      stopwatch.stop();
      final response = Response(400, body: jsonEncode({'error': 'Password must be more than 8 characters'}), headers: {'Content-Type': 'application/json'});
      logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
      return response;
    }

    final envDotenv = DotEnv();
    final storedHash = envDotenv['REGISTRATION_SECRET_KEY'] ?? '';

    if (!BCrypt.checkpw(secretKey, storedHash)) {
      stopwatch.stop();
      final response = Response(403, body: jsonEncode({'error': 'Invalid registration key'}), headers: {'Content-Type': 'application/json'});
      logRequest(method: 'POST', url: '/reg', status: 403, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
      return response;
    }

    try {
      await database.createUser(login, password);
      await database.createLog(login, 'User registration');
    } catch (e) {
      stopwatch.stop();
      final response = Response(400, body: jsonEncode({'error': e.toString()}), headers: {'Content-Type': 'application/json'});
      logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
      return response;
    }
    stopwatch.stop();
    final response = Response(201, body: jsonEncode({'message': 'User registered'}), headers: {'Content-Type': 'application/json'});
    logRequest(method: 'POST', url: '/reg', status: 201, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
    return response;
  }

  Future<Response> _watch(Request request, String login) async {
    final stopwatch = Stopwatch()..start();
    final uniqueId = request.url.queryParameters['share_id'];
    if (uniqueId == null) {
      stopwatch.stop();
      final response = Response(404, body: jsonEncode({'error': 'Share link not found'}), headers: {'Content-Type': 'application/json'});
      logRequest(method: 'GET', url: '/watch', status: 404, duration: stopwatch.elapsed, responseHeaders: response.headers);
      return response;
    }

    final geoId = database.getGeoIdByShareId(uniqueId);

    if (geoId == null) {
      await database.createLog(login, 'Accessed invalid share link');
      stopwatch.stop();
      final response = Response(404, body: jsonEncode({'error': 'Share link not found'}), headers: {'Content-Type': 'application/json'});
      logRequest(method: 'GET', url: '/watch', status: 404, duration: stopwatch.elapsed, responseHeaders: response.headers);
      return response;
    }

    final position = await database.getPositionById(geoId);

    if (position == null) {
      await database.createLog(login, 'Accessed share link - no position');
      stopwatch.stop();
      final response = Response(404, body: jsonEncode({'error': 'No position available'}), headers: {'Content-Type': 'application/json'});
      logRequest(method: 'GET', url: '/watch', status: 404, duration: stopwatch.elapsed, responseHeaders: response.headers);
      return response;
    }

    await database.createLog(login, 'Accessed share link');
    stopwatch.stop();
    final response = Response(200, body: jsonEncode({
      'x': position.xValue,
      'y': position.yValue,
      'last_update': position.lastUpdate.toIso8601String(),
      'expires_at': position.expiresAt.toIso8601String(),
    }), headers: {'Content-Type': 'application/json'});
    logRequest(method: 'GET', url: '/watch', status: 200, duration: stopwatch.elapsed, responseHeaders: response.headers);
    return response;
  }

  Future<Response> _apiInfo(Request request) async {
    final swaggerDir = Directory('web/swagger');
    final swaggerFile = File('${swaggerDir.path}/index.html');
    final html = await swaggerFile.readAsString();
    final response = Response(200, body: html, headers: {'Content-Type': 'text/html'});
    return response;
  }
}