fictioneer/includes/functions/_module-oauth.php

<?php

// =============================================================================
// CONSTANTS
// =============================================================================

define(
  'FCN_OAUTH2_API_ENDPOINTS',
  array(
    'discord' => array(
      'login' => 'https://discord.com/api/oauth2/authorize',
      'token' => 'https://discord.com/api/oauth2/token',
      'user' => 'https://discord.com/api/users/@me',
      'revoke' => 'https://discord.com/api/oauth2/token/revoke',
      'scope' => 'identify email'
    ),
    'twitch' => array(
      'login' => 'https://id.twitch.tv/oauth2/authorize',
      'token' => 'https://id.twitch.tv/oauth2/token',
      'user' => 'https://api.twitch.tv/helix/users',
      'revoke' => 'https://id.twitch.tv/oauth2/revoke',
      'scope' => 'user:read:email'
    ),
    'google' => array(
      'login' => 'https://accounts.google.com/o/oauth2/auth',
      'token' => 'https://oauth2.googleapis.com/token',
      'user' => 'https://www.googleapis.com/oauth2/v1/userinfo',
      'revoke' => 'https://oauth2.googleapis.com/revoke',
      'scope' => 'openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile'
    ),
    'patreon' => array(
      'login' => 'https://www.patreon.com/oauth2/authorize',
      'token' => 'https://www.patreon.com/api/oauth2/token',
      'user' => 'https://www.patreon.com/api/oauth2/v2/identity',
      'revoke' => '',
      'scope' => urlencode( 'identity identity[email]' )
    ),
    'subscribestar' => array(
      'login' => 'https://www.subscribestar.com/oauth2/authorize',
      'token' => 'https://www.subscribestar.com/oauth2/token',
      'api' => 'https://www.subscribestar.com/api/graphql/v1',
      'revoke' => '',
      'scope' => 'subscriber.read+subscriber.payments.read+user.read+user.email.read'
    )
  )
);

// =============================================================================
// PROCESS
// =============================================================================

/**
 * Handle OAuth 2.0 requests to get campaign tiers
 *
 * @since 5.15.0
 * @since 5.19.0 - Refactored
 */

function fictioneer_oauth2_get_campaign_tiers() {
  // Abort if not on the /oauth2 route...
  if ( is_null( get_query_var( FICTIONEER_OAUTH_ENDPOINT, null ) ) ) {
    return;
  }

  // Setup
  $cookie = fictioneer_oauth2_get_cookie();
  $state = sanitize_key( $_GET['state'] ?? '' );
  $code = sanitize_text_field( $_GET['code'] ?? '' ); // Do not use sanitize_key()

  // Validate!
  if (
    ! current_user_can( 'manage_options' ) ||
    ( $cookie['action'] ?? 0 ) !== 'fictioneer_connection_get_patreon_tiers' ||
    ( $cookie['state'] ?? 0 ) !== $state
  ) {
    return;
  }

  // Delete cookie
  fictioneer_oauth2_delete_cookie();

  // Get access token
  $token_response = fictioneer_oauth2_get_token(
    FCN_OAUTH2_API_ENDPOINTS['patreon']['token'],
    array(
      'grant_type' => 'authorization_code',
      'client_id' => get_option( 'fictioneer_patreon_client_id' ),
      'client_secret' => get_option( 'fictioneer_patreon_client_secret' ),
      'redirect_uri' => get_site_url( null, FICTIONEER_OAUTH_ENDPOINT ),
      'code' => $code,
      'scope' => urlencode( 'campaigns' )
    )
  );

  // Token successfully retrieved?
  if ( is_wp_error( $token_response ) ) {
    fictioneer_oauth_die( $token_response->get_error_message() );
  }

  // Extract token
  $access_token = isset( $token_response->access_token ) ? $token_response->access_token : null;

  if ( ! $access_token ) {
    fictioneer_oauth2_terminate(
      admin_url( 'admin.php?page=fictioneer_connections' ),
      array( 'failure' => 'fictioneer-patreon-token-missing' )
    );
  }

  // Build params
  $params = '?fields' . urlencode( '[campaign]' ) . '=created_at';
  $params .= '&fields' . urlencode( '[tier]' ) . '=title,amount_cents,published,description';
  $params .= '&include=tiers';

  // Retrieve campaign data from Patreon
  $campaign_response = wp_remote_get(
    'https://www.patreon.com/api/oauth2/v2/campaigns' . $params,
    array(
      'headers' => array(
        'Authorization' => 'Bearer ' . $access_token
      )
    )
  );

  // Request successful?
  if ( is_wp_error( $campaign_response ) ) {
    fictioneer_oauth_die( $campaign_response->get_error_message() );
  } else {
    $body = json_decode( wp_remote_retrieve_body( $campaign_response ) );
  }

  // Data successfully retrieved?
  if ( empty( $body ) || json_last_error() !== JSON_ERROR_NONE ) {
    fictioneer_oauth_die( wp_remote_retrieve_body( $campaign_response ) );
  }

  // Data?
  if ( ! isset( $body->data ) ) {
    fictioneer_oauth_die( 'Data node not found.' );
  }

  // Includes?
  if ( ! isset( $body->included ) ) {
    fictioneer_oauth_die( 'Includes node not found.' );
  }

  // Extract tiers
  $tiers = [];

  foreach ( $body->included as $item ) {
    if ( $item->type !== 'tier' || ! isset( $item->attributes ) ) {
      continue;
    }

    $tiers[ $item->id ] = array(
      'id' => absint( $item->id ),
      'title' => sanitize_text_field( $item->attributes->title ?? '' ),
      'description' => wp_kses_post( $item->attributes->description ?? '' ),
      'amount_cents' => absint( $item->attributes->amount_cents ?? 0 ),
      'published' => filter_var( $item->attributes->published ?? 0, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE ),
    );
  }

  // Save as autoload option
  update_option( 'fictioneer_connection_patreon_tiers', $tiers );

  // Finish
  wp_safe_redirect(
    add_query_arg(
      array( 'success' => 'fictioneer-patreon-tiers-pulled' ),
      admin_url( 'admin.php?page=fictioneer_connections' )
    )
  );

  exit;
}
add_action( 'template_redirect', 'fictioneer_oauth2_get_campaign_tiers', 5 );

/**
 * Process any OAuth 2.0 request
 *
 * @since 5.19.0
 * @link https://dev.twitch.tv/docs/authentication
 * @link https://discord.com/developers/docs/topics/oauth2
 * @link https://docs.patreon.com/#step-1-registering-your-client
 * @link https://developers.google.com/identity/protocols/oauth2
 */

function fictioneer_oauth2_process() {
  // Abort if not on the /oauth2 route...
  if ( is_null( get_query_var( FICTIONEER_OAUTH_ENDPOINT, null ) ) ) {
    return;
  }

  // Setup
  $cookie = fictioneer_oauth2_get_cookie();
  $action = sanitize_key( $_GET['action'] ?? '' );
  $state = sanitize_key( $_GET['state'] ?? '' );
  $code = sanitize_text_field( $_GET['code'] ?? '' ); // Do not use sanitize_key()
  $channel = sanitize_key( $_GET['channel'] ?? '' );
  $merge = ( $_GET['merge'] ?? $cookie['merge'] ?? 0 ) ? 1 : 0;
  $anchor = sanitize_key( $_GET['anchor'] ?? $cookie['anchor'] ?? '' );
  $return_url = wp_validate_redirect( $_GET['return_url'] ?? $cookie['return_url'] ?? home_url(), home_url() );
  $result = '';

  // Verify!
  if ( ! $state && ! wp_verify_nonce( $_GET['oauth_nonce'] ?? '', 'authenticate' ) ) {
    fictioneer_oauth2_terminate(
      $return_url,
      array( 'failure' => 'oauth_invalid_nonce' ),
      $anchor
    );
  }

  // Merge?
  if ( ( ! is_user_logged_in() && $merge ) || ( is_user_logged_in() && ! $merge ) ) {
    fictioneer_oauth2_terminate(
      $return_url,
      array( 'failure' => 'oauth_invalid_merge_request' ),
      $anchor
    );
  }

  // Login: Get code!
  if ( $action === 'login' && ! $state ) {
    fictioneer_oauth2_get_code(
      array(
        'channel' => $channel,
        'anchor' => $anchor,
        'return_url' => $return_url,
        'merge' => $merge,
        'merge_id' => get_current_user_id()
      )
    );
  }

  // Cookie?
  if ( ! $cookie || ! ( $cookie['state'] ?? 0 ) || ! ( $cookie['channel'] ?? 0 ) || ! ( $cookie['return_url'] ?? 0 ) ) {
    fictioneer_oauth2_terminate(
      $cookie['return_url'],
      array( 'failure' => 'oauth_invalid_cookie' ),
      $anchor
    );
  }

  // State?
  if ( $cookie['state'] !== $state ) {
    fictioneer_oauth2_terminate(
      $cookie['return_url'],
      array( 'failure' => 'oauth_invalid_state' ),
      $anchor
    );
  }

  // Code?
  if ( ! $code ) {
    fictioneer_oauth2_terminate(
      $cookie['return_url'],
      array( 'failure' => 'oauth_invalid_code' ),
      $anchor
    );
  }

  // Code: Get access token!
  $token_response = fictioneer_oauth2_get_token(
    FCN_OAUTH2_API_ENDPOINTS[ $cookie['channel'] ]['token'],
    array(
      'grant_type' => 'authorization_code',
      'client_id' => get_option( "fictioneer_{$cookie['channel']}_client_id" ),
      'client_secret' => get_option( "fictioneer_{$cookie['channel']}_client_secret" ),
      'redirect_uri' => get_site_url( null, FICTIONEER_OAUTH_ENDPOINT ),
      'code' => $code,
      'scope' => FCN_OAUTH2_API_ENDPOINTS[ $cookie['channel'] ]['scope']
    )
  );

  // Error?
  if ( is_wp_error( $token_response ) ) {
    fictioneer_oauth2_terminate(
      $cookie['return_url'],
      array( 'failure' => $token_response->get_error_code() ),
      $anchor
    );
  }

  // Token?
  $access_token = isset( $token_response->access_token ) ? $token_response->access_token : null;

  if ( ! $access_token ) {
    fictioneer_oauth2_terminate(
      $cookie['return_url'],
      array( 'failure' => 'oauth_token_missing' ),
      $anchor
    );
  }

  // Delegate to respective channel
  switch ( $cookie['channel'] ) {
    case 'discord':
      $result = fictioneer_oauth2_discord( $token_response, $cookie );
      break;
    case 'patreon':
      $result = fictioneer_oauth2_patreon( $token_response, $cookie );
      break;
    case 'google':
      $result = fictioneer_oauth2_google( $token_response, $cookie );
      break;
    case 'twitch':
      $result = fictioneer_oauth2_twitch( $token_response, $cookie );
      break;
    // case 'subscribestar':
    //   $result = fictioneer_oauth2_subscribestar( $token_response, $cookie );
    //   break;
    default:
      $result = 'oauth_invalid_channel';
  }

  // Error: Any
  if ( ! in_array( $result, ['merged_user', 'new_user', 'known_user'] ) ) {
    $return_url = add_query_arg( 'failure', $result, $return_url );
  }

  // Success: Merged
  if ( $result === 'merged_user' ) {
    $return_url = add_query_arg( 'success', 'oauth_merged_' . $cookie['channel'], $return_url );
  }

  // Success: New
  if ( $result === 'new_user' ) {
    $return_url = add_query_arg( 'success', 'oauth_new', $return_url );
  }

  // Success: Known
  if ( $result === 'known_user' ) {
    $return_url = add_query_arg( 'success', 'oauth_known', $return_url );
  }

  // Finish
  fictioneer_oauth2_delete_cookie();
  wp_safe_redirect( $return_url . ( $anchor ? '#' . $anchor : '' ) );
  exit;
}
add_action( 'template_redirect', 'fictioneer_oauth2_process' );

/**
 * Log in or register user
 *
 * @since 5.19.0
 *
 * @param array $user_data  Array of user data.
 * @param array $cookie     The decrypted cookie data.
 */

function fictioneer_oauth2_make_user( $user_data, $cookie ) {
  // Setup
  $channel = $user_data['channel'];
  $meta_key = "fictioneer_{$channel}_id_hash";
  $channel_id = 'fcn_' . hash( 'sha256', sanitize_key( $user_data['uid'] ) );
  $username = sanitize_user( $user_data['username'] );
  $nickname = sanitize_user( $user_data['nickname'] );
  $email = sanitize_email( $user_data['email'] );
  $avatar = fictioneer_url_exists( $user_data['avatar'] ) ? $user_data['avatar'] : null;
  $merge_id = absint( $cookie['merge_id'] ?? 0 );
  $new = false;
  $merged = false;

  // Randomize username?
  if ( get_option( 'fictioneer_randomize_oauth_usernames' ) ) {
    $username = fictioneer_get_random_username();
    $nickname = $username;
  }

  // Look for existing user...
  $wp_user = get_users( array( 'meta_key' => $meta_key, 'meta_value' => $channel_id, 'number' => 1 ) );
  $wp_user = reset( $wp_user );

  // Check for faulty merge request
  if ( ! is_user_logged_in() && $cookie['merge'] ) {
    return 'oauth_invalid_merge_request';
  }

  if ( is_user_logged_in() && ! $cookie['merge'] ) {
    return 'oauth_invalid_merge_request';
  }

  // If a valid merge has been requested...
  if ( is_user_logged_in() && ! $wp_user && $cookie['merge'] ) {
    if ( ! $wp_user && get_current_user_id() === $merge_id ) {
      $wp_user = get_user_by( 'id', $merge_id );
      $merged = true;
    }

    // Cannot merge with non-existent user...
    if ( is_user_logged_in() && ! $wp_user ) {
      return 'oauth_invalid_merge_user';
    }
  }

  // Cannot merged if already linked
  if ( is_user_logged_in() && $wp_user && $merge_id !== $wp_user->ID ) {
    return 'oauth_already_linked';
  }

  // If still no user has been found, create a new one...
  if ( ! is_a( $wp_user, 'WP_User' ) ) {
    // Find free username
    if ( username_exists( $username ) ) {
      $alt_username = $username;
      $discriminator = 1;

      while ( username_exists( $alt_username ) ) {
        $alt_username = $username . $discriminator;
        $discriminator++;
      }

      $username = $alt_username;
    }

    // Create user
    $wp_user_id = wp_create_user( $username, wp_generate_password( 32, true, true ), $email );

    // Failure or success?
    if ( is_wp_error( $wp_user_id ) ) {
      $error_code = $wp_user_id->get_error_code();
      return $error_code === 'existing_user_email' ? 'oauth_email_taken' : $error_code;
    } else {
      $wp_user = get_user_by( 'id', $wp_user_id );
      $new = true;
    }
  }

  // Update user data
  if ( is_a( $wp_user, 'WP_User' ) ) {
    // Current avatar
    $current_avatar = $wp_user->fictioneer_external_avatar_url ?: '';

    // Set nickname and display name
    if ( $new ) {
      fictioneer_update_user_meta( $wp_user->ID, 'nickname', $nickname );
      wp_update_user( array( 'ID' => $wp_user->ID, 'display_name' => $nickname ) );
    }

    // Set channel ID
    if ( $new || $merged ) {
      fictioneer_update_user_meta( $wp_user->ID, "fictioneer_{$channel}_id_hash", $channel_id );
    }

    // Update avatar
    if ( $avatar !== $current_avatar && ! get_the_author_meta( 'fictioneer_lock_avatar', $wp_user->ID ) ) {
      fictioneer_update_user_meta( $wp_user->ID, 'fictioneer_external_avatar_url', $avatar );
    }

    // Handle Patreon
    if ( $channel === 'patreon' ) {
      if ( isset( $user_data['tiers'] ) && count( $user_data['tiers'] ) > 0 ) {
        fictioneer_update_user_meta( $wp_user->ID, 'fictioneer_patreon_tiers', $user_data['tiers'] );
      } else {
        delete_user_meta( $wp_user->ID, 'fictioneer_patreon_tiers' );
      }

      if ( isset( $user_data['membership'] ) && ! empty( $user_data['membership'] ) ) {
        fictioneer_update_user_meta( $wp_user->ID, 'fictioneer_patreon_membership', $user_data['membership'] );
      } else {
        delete_user_meta( $wp_user->ID, 'fictioneer_patreon_membership' );
      }
    }

    // Login
    if ( ! is_user_logged_in() ) {
      wp_clear_auth_cookie();
      wp_set_current_user( $wp_user->ID );

      // Allow login to last three days
      add_filter( 'auth_cookie_expiration', function( $length ) {
        return FICTIONEER_OAUTH_COOKIE_EXPIRATION;
      });

      // Set authentication cookie
      wp_set_auth_cookie( $wp_user->ID, true );
    }

    // Action
    do_action(
      'fictioneer_after_oauth_user',
      $wp_user,
      array(
        'channel' => $user_data['channel'],
        'uid' => $user_data['uid'],
        'username' => $user_data['username'],
        'nickname' => $user_data['nickname'],
        'email' => $user_data['email'],
        'avatar_url' => $user_data['avatar'],
        'patreon_tiers' => $user_data['tiers'] ?? [],
        'patreon_membership' => $user_data['membership'] ?? [],
        'new' => $new,
        'merged' => $merged
      )
    );

    // Return result
    if ( is_user_logged_in() ) {
      if ( $new ) {
        return 'new_user';
      }

      if ( $merged ) {
        return 'merged_user';
      }

      return 'known_user';
    }
  }

  // Something went very wrong
  return 'no_user_found_or_created';
}

// =============================================================================
// HELPERS
// =============================================================================

/**
 * Terminate the OAuth 2.0 script and redirect back
 *
 * @since 5.19.0
 *
 * @param string $return_url  Optional. URL to return to.
 * @param array  $query_args  Optional. Additional query arguments for the redirect.
 * @param string $anchor      Optional. Anchor for the return URL.
 */

function fictioneer_oauth2_terminate( $return_url = null, $query_args = [], $anchor = null ) {
  // Delete cookie
  fictioneer_oauth2_delete_cookie();

  // Redirect and terminate
  wp_safe_redirect( add_query_arg( $query_args, $return_url ?? home_url() ) . ( $anchor ? '#' . $anchor : '' ) );
  exit;
}

/**
 * Outputs a formatted error message and stops the script
 *
 * @since 5.5.2
 * @since 5.7.5 - Refactored.
 * @since 5.19.0 - Refactored again.
 *
 * @param string $message  The error message.
 * @param string $title    Optional. Title of the error page. Defaults to 'Error'.
 */

function fictioneer_oauth_die( $message, $title = 'Error' ) {
  // Delete cookie
  fictioneer_oauth2_delete_cookie();

  wp_die(
    '<h1 style="margin-top: 0;">' . $title . '</h1>' .
    '<p><pre>' . print_r( $message, true ) . '</pre></p>' .
    '<p>The good news is, nothing has happened to your account. The bad new is, something is not working. Please try again later or contact an administrator for help. <a href="' . home_url() . '">Back to site</a></p>',
    $title
  );
}

/**
 * Get the OAuth 2.0 cookie contents
 *
 * @since 5.19.0
 *
 * @return array|null The cookie as array or null on failure.
 */

function fictioneer_oauth2_get_cookie() {
  if ( isset( $_COOKIE['fictioneer_oauth'] ) ) {
    return fictioneer_decrypt( $_COOKIE['fictioneer_oauth'] ) ?: null;
  }

  return null;
}

/**
 * Deleted the OAuth 2.0 cookie
 *
 * @since 5.19.0
 */

function fictioneer_oauth2_delete_cookie() {
  setcookie(
    'fictioneer_oauth',
    '',
    array(
      'expires' => time() - 3600,
      'path' => '/',
      'domain' => '',
      'secure' => is_ssl(),
      'httponly' => true,
      'samesite' => 'Lax' // Necessary because of redirects
    )
  );
}

/**
 * Get code from OAuth 2.0 provider
 *
 * @since 5.19.0
 *
 * @param array  $args {
 *   Array of arguments.
 *
 *   @type string $channel     The targeted provider.
 *   @type string $return_url  The return URL.
 *   @type string $anchor      Optional. Anchor for the return URL.
 *   @type bool   $merge       Optional. Whether this is a merge request.
 *   @type int    $merge_id    ID of the current user or 0.
 * }
 */

function fictioneer_oauth2_get_code( $args ) {
  // Setup
  $client_id = get_option( "fictioneer_{$args['channel']}_client_id" );
  $client_secret = get_option( "fictioneer_{$args['channel']}_client_secret" );

  // Abort if...
  if ( ! $client_id || ! $client_secret ) {
    fictioneer_oauth2_terminate( $args['return_url'] );
  }

  // Prepare request
  $params = array(
    'response_type' => 'code',
    'client_id' => $client_id,
    'state' => hash( 'sha256', microtime( TRUE ) . random_bytes( 15 ) . $_SERVER['REMOTE_ADDR'] ),
    'scope' => FCN_OAUTH2_API_ENDPOINTS[ $args['channel'] ]['scope'],
    'redirect_uri' => get_site_url( null, FICTIONEER_OAUTH_ENDPOINT ),
    'force_verify' => 'true',
    'prompt' => 'consent',
    'access_type' => 'offline'
  );

  // Set cookie
  $value = fictioneer_encrypt(
    array(
      'state' => $params['state'],
      'channel' => $args['channel'],
      'return_url' => $args['return_url'],
      'anchor' => $args['anchor'],
      'merge' => $args['merge'],
      'merge_id' => $args['merge_id']
    )
  );

  if ( $value ) {
    setcookie(
      'fictioneer_oauth',
      $value,
      array(
        'expires' => time() + 300,
        'path' => '/',
        'domain' => '',
        'secure' => is_ssl(),
        'httponly' => true,
        'samesite' => 'Lax' // Necessary because of redirects
      )
    );
  }

  // Request code
  wp_redirect( add_query_arg( $params, FCN_OAUTH2_API_ENDPOINTS[ $args['channel'] ]['login'] ) );

  // Terminate
  exit();
}

/**
 * Get the OAuth 2.0 access token
 *
 * @since 5.19.0
 *
 * @param string $url      URL to make the API request to.
 * @param array  $body     Post body.
 * @param array  $headers  Optional. Array of additional header arguments.
 *
 * @return object|WP_Error Decoded JSON result or WP_Error on failure.
 */

function fictioneer_oauth2_get_token( $url, $body, $headers = [] ) {
  // Params
  $args = array(
    'headers' => array_merge( array( 'Accept' => 'application/json' ), $headers ),
    'body' => $body,
    'timeout' => 10,
    'blocking' => true,
    'reject_unsafe_urls' => true,
    'data_format' => 'body',
    'limit_response_size' => 4096
  );

  // Request
  $response = wp_remote_post( $url, $args );

  // Error?
  if ( is_wp_error( $response ) ) {
    return $response;
  }

  // Return decoded body
  return json_decode( wp_remote_retrieve_body( $response ) );
}

/**
 * Revoke an OAuth 2.0 access token
 *
 * @since 4.0.0
 * @since 5.7.5 - Refactored.
 * @since 5.19.0 - Refactored again.
 *
 * @param string $url   URL to make the API request to.
 * @param array  $post  Post body.
 *
 * @return string HTTP response code.
 */

function fictioneer_oauth2_revoke_token( $url, $body ) {
  // Params
  $args = array(
    'headers' => array( 'Content-Type' => 'application/x-www-form-urlencoded' ),
    'body' => $body
  );

  // Request
  $response = wp_remote_post( $url, $args );

  // Error?
  if ( is_wp_error( $response ) ) {
    return 500; // Internal Server Error
  }

  // Return response code
  return wp_remote_retrieve_response_code( $response );
}

/**
 * Retrieve and decode user data response
 *
 * @since 5.19.0
 *
 * @param object $response  API response.
 *
 * @return object User data object.
 */

function fictioneer_oauth2_retrieve_user_body( $response ) {
  // Check retrieved response
  if ( is_wp_error( $response ) ) {
    fictioneer_oauth_die( implode( '<br>', $response->get_error_messages() ) );
  } else {
    $user = json_decode( wp_remote_retrieve_body( $response ) );
  }

  // User data successfully retrieved?
  if ( empty( $user ) || json_last_error() !== JSON_ERROR_NONE ) {
    fictioneer_oauth_die( wp_remote_retrieve_body( $response ) );
  }

  // Error?
  $response_code = wp_remote_retrieve_response_code( $response );

  if ( $response_code < 200 || $response_code >= 300 ) {
    fictioneer_oauth_die( wp_remote_retrieve_body( $response ), 'Error ' . $response );
  }

  // All clear
  return $user;
}

// =============================================================================
// PROVIDERS
// =============================================================================

/**
 * Perform OAuth 2.0 authentication for Patreon
 *
 * @since 5.19.0
 *
 * @param object $token_response  Token request response.
 * @param array  $cookie          Decrypted data of the cookie.
 *
 * @return string Result code from fictioneer_oauth2_make_user().
 */

function fictioneer_oauth2_patreon( $token_response, $cookie ) {
  // Build params
  $params = '?fields' . urlencode( '[user]' ) . '=email,first_name,image_url,is_email_verified';
  $params .= '&fields' . urlencode( '[tier]' ) . '=title,amount_cents,published,description';
  $params .= '&fields' . urlencode( '[member]' ) . '=lifetime_support_cents,campaign_lifetime_support_cents,last_charge_date,last_charge_status,next_charge_date,patron_status';
  $params .= '&include=memberships.currently_entitled_tiers';

  // Retrieve user data from Patreon
  $user_response = wp_remote_get(
    FCN_OAUTH2_API_ENDPOINTS['patreon']['user'] . $params,
    array(
      'headers' => array(
        'Authorization' => 'Bearer ' . $token_response->access_token
      )
    )
  );

  // Check retrieved user response
  $user = fictioneer_oauth2_retrieve_user_body( $user_response );

  if ( ! isset( $user->data ) ) {
    fictioneer_oauth_die( 'Data node not found.' );
  }

  if ( ! isset( $user->data->attributes ) ) {
    fictioneer_oauth_die( 'Attributes node not found.' );
  }

  if ( ! isset( $user->data->attributes->is_email_verified ) || ! $user->data->attributes->is_email_verified ) {
    fictioneer_oauth_die( 'Email not verified.' );
  }

  // Extract membership data
  $tiers = [];
  $tier_ids = [];
  $membership = [];

  if ( isset( $user->included ) ) {
    // Tiers data
    foreach ( $user->included as $node ) {
      if ( isset( $node->type ) && $node->type === 'tier' ) {
        $tiers[ $node->id ] = array(
          'tier' => sanitize_text_field( $node->attributes->title ),
          'title' => sanitize_text_field( $node->attributes->title ),
          'description' => wp_kses_post( $node->attributes->description ?? '' ),
          'published' => filter_var( $node->attributes->published ?? 0, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE ),
          'amount_cents' => absint( $node->attributes->amount_cents ?? 0 ),
          'timestamp' => current_time( 'U', true ),
          'id' => $node->id
        );
        $tier_ids[] = $node->id;
      }
    }

    // Membership data
    foreach ( $user->included as $node ) {
      if (
        isset( $node->type ) &&
        $node->type === 'member' &&
        isset( $node->attributes ) &&
        isset( $node->relationships->currently_entitled_tiers->data ) &&
        in_array( $node->relationships->currently_entitled_tiers->data[0]->id, $tier_ids )
      ) {
        $membership['lifetime_support_cents'] = $node->attributes->lifetime_support_cents ?? $node->attributes->campaign_lifetime_support_cents ?? 0;
        $membership['last_charge_date'] = $node->attributes->last_charge_date ?? null;
        $membership['last_charge_status'] = $node->attributes->last_charge_status ?? null;
        $membership['next_charge_date'] = $node->attributes->next_charge_date ?? null;
        $membership['patron_status'] = $node->attributes->patron_status ?? null;

        break;
      }
    }
  }

  /* Patreon does not have a function to revoke a token (2024/05/21). */

  // Login or register user
  return fictioneer_oauth2_make_user(
    array(
      'channel' => 'patreon',
      'uid' => $user->data->id,
      'email' => $user->data->attributes->email,
      'username' => $user->data->attributes->first_name,
      'nickname' => $user->data->attributes->first_name,
      'avatar' => esc_url_raw( $user->data->attributes->image_url ?? '' ),
      'tiers' => $tiers,
      'membership' => $membership
    ),
    $cookie
  );
}

/**
 * Perform OAuth 2.0 authentication for Discord
 *
 * @since 5.19.0
 *
 * @param object $token_response  Token request response.
 * @param array  $cookie          Decrypted data of the cookie.
 *
 * @return string Result code from fictioneer_oauth2_make_user().
 */

function fictioneer_oauth2_discord( $token_response, $cookie ) {
  // Get user data
  $user_response = wp_remote_get(
    FCN_OAUTH2_API_ENDPOINTS['discord']['user'],
    array(
      'headers' => array(
        'Authorization' => 'Bearer ' . $token_response->access_token,
        'Client-ID' => get_option( 'fictioneer_discord_client_id' )
      )
    )
  );

  // Check retrieved user response
  $user = fictioneer_oauth2_retrieve_user_body( $user_response );

  // Account verified?
  if ( ! isset( $user->verified ) || ! $user->verified ) {
    fictioneer_oauth_die( 'Account not verified.' );
  }

  // Revoke token since it's not needed anymore
  fictioneer_oauth2_revoke_token(
    FCN_OAUTH2_API_ENDPOINTS['discord']['revoke'],
    array(
      'token' => $token_response->access_token,
      'token_type_hint' => 'access_token',
      'client_id' => get_option( 'fictioneer_discord_client_id' ),
      'client_secret' => get_option( 'fictioneer_discord_client_secret' )
    )
  );

  // Login or register user
  return fictioneer_oauth2_make_user(
    array(
      'channel' => 'discord',
      'uid' => $user->id,
      'email' => $user->email,
      'username' => $user->username . ( $user->discriminator ?? ''),
      'nickname' => $user->username,
      'avatar' => esc_url_raw( "https://cdn.discordapp.com/avatars/{$user->id}/{$user->avatar}.png" )
    ),
    $cookie
  );
}

/**
 * Perform OAuth 2.0 authentication for Google
 *
 * @since 5.19.0
 *
 * @param object $token_response  Token request response.
 * @param array  $cookie          Decrypted data of the cookie.
 *
 * @return string Result code from fictioneer_oauth2_make_user().
 */

function fictioneer_oauth2_google( $token_response, $cookie ) {
  // Retrieve user data from Google
  $user_response = wp_remote_get(
    FCN_OAUTH2_API_ENDPOINTS['google']['user'],
    array(
      'headers' => array(
        'Authorization' => 'Bearer ' . $token_response->access_token,
        'Client-ID' => get_option( 'fictioneer_google_client_id' )
      )
    )
  );

  // Check retrieved user response
  $user = fictioneer_oauth2_retrieve_user_body( $user_response );

  // Account verified?
  if ( ! isset( $user->verified_email ) || ! $user->verified_email ) {
    fictioneer_oauth_die( 'Email not verified.' );
  }

  // Revoke token since it's not needed anymore
  fictioneer_oauth2_revoke_token(
    FCN_OAUTH2_API_ENDPOINTS['google']['revoke'],
    array(
      'token' => $token_response->access_token
    )
  );

  // Generate random username (because Google uses real names)
  $name = fictioneer_get_random_username();

  // Login or register user
  return fictioneer_oauth2_make_user(
    array(
      'channel' => 'google',
      'uid' => $user->id,
      'email' => $user->email,
      'username' => $name,
      'nickname' => $name,
      'avatar' => esc_url_raw( $user->picture ?? '' )
    ),
    $cookie
  );
}

/**
 * Perform OAuth 2.0 authentication for Twitch
 *
 * @since 5.19.0
 *
 * @param object $token_response  Token request response.
 * @param array  $cookie          Decrypted data of the cookie.
 *
 * @return string Result code from fictioneer_oauth2_make_user().
 */

function fictioneer_oauth2_twitch( $token_response, $cookie ) {
  // Retrieve user data from Twitch
  $user_response = wp_remote_get(
    FCN_OAUTH2_API_ENDPOINTS['twitch']['user'],
    array(
      'headers' => array(
        'Authorization' => 'Bearer ' . $token_response->access_token,
        'Client-ID' => get_option( 'fictioneer_twitch_client_id' )
      )
    )
  );

  // Check retrieved user response
  $user = fictioneer_oauth2_retrieve_user_body( $user_response );

  // Revoke token since it's not needed anymore
  fictioneer_oauth2_revoke_token(
    FCN_OAUTH2_API_ENDPOINTS['twitch']['revoke'],
    array(
      'token' => $token_response->access_token,
      'token_type_hint' => 'access_token',
      'client_id' => get_option( 'fictioneer_twitch_client_id' )
    )
  );

  // Login or register user
  return fictioneer_oauth2_make_user(
    array(
      'channel' => 'twitch',
      'uid' => $user->data[0]->id,
      'email' => $user->data[0]->email,
      'username' => $user->data[0]->login,
      'nickname' => $user->data[0]->display_name,
      'avatar' => esc_url_raw( $user->data[0]->profile_image_url ?? '' )
    ),
    $cookie
  );
}

/**
 * Perform OAuth 2.0 authentication for SubscribeStar
 *
 * @since 5.19.0
 *
 * @param object $token_response  Token request response.
 * @param array  $cookie          Decrypted data of the cookie.
 *
 * @return string Result code from fictioneer_oauth2_make_user().
 */

function fictioneer_oauth2_subscribestar( $token_response, $cookie ) {
  // GraphQL query
  $query = "{ user { id name email email_verified avatar_url } subscriber { subscription { price } } }";

  // Retrieve user data from SubscribeStar
  $user_response = wp_remote_post(
    FCN_OAUTH2_API_ENDPOINTS['subscribestar']['api'],
    array(
      'headers' => array(
        'Accept' => 'application/json',
        'Authorization' => 'Bearer ' . $token_response->access_token
      ),
      'body' => array( 'query' => $query ),
      'blocking' => true,
      'reject_unsafe_urls' => true,
      'data_format' => 'body'
    )
  );

  fictioneer_oauth2_delete_cookie();
  wp_die( json_encode( $user_response ) );
}