"use strict";
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
Object.defineProperty(exports, "__esModule", { value: true });
exports.TunnelPlanTokenProperties = void 0;
/**
 * Supports parsing tunnel access token JWT properties to allow for some pre-validation
 * and diagnostics.
 *
 * Applications generally should not attempt to interpret or rely on any token properties
 * other than `expiration`, because the service may change or omit those claims in the future.
 * Other claims are exposed here only for diagnostic purposes.
 */
class TunnelPlanTokenProperties {
    constructor(clusterId, issuer, expiration, userEmail, tunnelPlanId, subscriptionId, scopes) {
        this.clusterId = clusterId;
        this.issuer = issuer;
        this.expiration = expiration;
        this.userEmail = userEmail;
        this.tunnelPlanId = tunnelPlanId;
        this.subscriptionId = subscriptionId;
        this.scopes = scopes;
    }
    /**
     * Checks if the tunnel access token expiration claim is in the past.
     *
     * (Does not throw if the token is an invalid format.)
     */
    static validateTokenExpiration(token) {
        const t = TunnelPlanTokenProperties.tryParse(token);
        if (t === null || t === void 0 ? void 0 : t.expiration) {
            if (t.expiration < new Date()) {
                throw new Error('The access token is expired: ' + t);
            }
        }
    }
    /**
     * Attempts to parse a tunnel access token (JWT). This does NOT validate the token
     * signature or any claims.
     */
    static tryParse(token) {
        if (typeof token !== 'string')
            throw new TypeError('Token string expected.');
        // JWTs are encoded in 3 parts: header, body, and signature.
        const tokenParts = token.split('.');
        if (tokenParts.length !== 3) {
            return null;
        }
        const tokenBodyJson = TunnelPlanTokenProperties.base64UrlDecode(tokenParts[1]);
        if (!tokenBodyJson) {
            return null;
        }
        try {
            const tokenJson = JSON.parse(tokenBodyJson);
            const clusterId = tokenJson.clusterId;
            const subscriptionId = tokenJson.subscriptionId;
            const tunnelPlanId = tokenJson.tunnelPlanId;
            const userEmail = tokenJson.userEmail;
            const scp = tokenJson.scp;
            const iss = tokenJson.iss;
            const exp = tokenJson.exp;
            return new TunnelPlanTokenProperties(clusterId, iss, typeof exp === 'number' ? new Date(exp * 1000) : undefined, userEmail, tunnelPlanId, subscriptionId, scp === null || scp === void 0 ? void 0 : scp.split(' '));
        }
        catch (_a) {
            return null;
        }
    }
    /**
     * Gets the tunnal access token trace string.
     * 'none' if null or undefined, parsed token info if can be parsed, or 'token' if cannot be parsed.
     */
    static getTokenTrace(token) {
        var _a, _b;
        return !token ? 'none' : (_b = (_a = TunnelPlanTokenProperties.tryParse(token)) === null || _a === void 0 ? void 0 : _a.toString()) !== null && _b !== void 0 ? _b : 'token';
    }
    static base64UrlDecode(encodedString) {
        // Convert from base64url encoding to base64 encoding: replace chars and add padding.
        encodedString = encodedString.replace('-', '+');
        while (encodedString.length % 4 !== 0) {
            encodedString += '=';
        }
        try {
            const result = atob(encodedString);
            return result;
        }
        catch (_a) {
            return null;
        }
    }
}
exports.TunnelPlanTokenProperties = TunnelPlanTokenProperties;
//# sourceMappingURL=tunnelPlanTokenProperties.js.map