// Copyright 2014 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package oauth2

import (
	
	
	
	
	
	
	

	
)

// defaultExpiryDelta determines how earlier a token should be considered
// expired than its actual expiration time. It is used to avoid late
// expirations due to client-server time mismatches.
const defaultExpiryDelta = 10 * time.Second

// Token represents the credentials used to authorize
// the requests to access protected resources on the OAuth 2.0
// provider's backend.
//
// Most users of this package should not access fields of Token
// directly. They're exported mostly for use by related packages
// implementing derivative OAuth2 flows.
type Token struct {
	// AccessToken is the token that authorizes and authenticates
	// the requests.
	AccessToken string `json:"access_token"`

	// TokenType is the type of token.
	// The Type method returns either this or "Bearer", the default.
	TokenType string `json:"token_type,omitempty"`

	// RefreshToken is a token that's used by the application
	// (as opposed to the user) to refresh the access token
	// if it expires.
	RefreshToken string `json:"refresh_token,omitempty"`

	// Expiry is the optional expiration time of the access token.
	//
	// If zero, [TokenSource] implementations will reuse the same
	// token forever and RefreshToken or equivalent
	// mechanisms for that TokenSource will not be used.
	Expiry time.Time `json:"expiry,omitempty"`

	// ExpiresIn is the OAuth2 wire format "expires_in" field,
	// which specifies how many seconds later the token expires,
	// relative to an unknown time base approximately around "now".
	// It is the application's responsibility to populate
	// `Expiry` from `ExpiresIn` when required.
	ExpiresIn int64 `json:"expires_in,omitempty"`

	// raw optionally contains extra metadata from the server
	// when updating a token.
	raw any

	// expiryDelta is used to calculate when a token is considered
	// expired, by subtracting from Expiry. If zero, defaultExpiryDelta
	// is used.
	expiryDelta time.Duration
}

// Type returns t.TokenType if non-empty, else "Bearer".
func ( *Token) () string {
	if strings.EqualFold(.TokenType, "bearer") {
		return "Bearer"
	}
	if strings.EqualFold(.TokenType, "mac") {
		return "MAC"
	}
	if strings.EqualFold(.TokenType, "basic") {
		return "Basic"
	}
	if .TokenType != "" {
		return .TokenType
	}
	return "Bearer"
}

// SetAuthHeader sets the Authorization header to r using the access
// token in t.
//
// This method is unnecessary when using [Transport] or an HTTP Client
// returned by this package.
func ( *Token) ( *http.Request) {
	.Header.Set("Authorization", .Type()+" "+.AccessToken)
}

// WithExtra returns a new [Token] that's a clone of t, but using the
// provided raw extra map. This is only intended for use by packages
// implementing derivative OAuth2 flows.
func ( *Token) ( any) *Token {
	 := new(Token)
	* = *
	.raw = 
	return 
}

// Extra returns an extra field.
// Extra fields are key-value pairs returned by the server as a
// part of the token retrieval response.
func ( *Token) ( string) any {
	if ,  := .raw.(map[string]any);  {
		return []
	}

	,  := .raw.(url.Values)
	if ! {
		return nil
	}

	 := .Get()
	switch  := strings.TrimSpace(); strings.Count(, ".") {
	case 0: // Contains no "."; try to parse as int
		if ,  := strconv.ParseInt(, 10, 64);  == nil {
			return 
		}
	case 1: // Contains a single "."; try to parse as float
		if ,  := strconv.ParseFloat(, 64);  == nil {
			return 
		}
	}

	return 
}

// timeNow is time.Now but pulled out as a variable for tests.
var timeNow = time.Now

// expired reports whether the token is expired.
// t must be non-nil.
func ( *Token) () bool {
	if .Expiry.IsZero() {
		return false
	}

	 := defaultExpiryDelta
	if .expiryDelta != 0 {
		 = .expiryDelta
	}
	return .Expiry.Round(0).Add(-).Before(timeNow())
}

// Valid reports whether t is non-nil, has an AccessToken, and is not expired.
func ( *Token) () bool {
	return  != nil && .AccessToken != "" && !.expired()
}

// tokenFromInternal maps an *internal.Token struct into
// a *Token struct.
func tokenFromInternal( *internal.Token) *Token {
	if  == nil {
		return nil
	}
	return &Token{
		AccessToken:  .AccessToken,
		TokenType:    .TokenType,
		RefreshToken: .RefreshToken,
		Expiry:       .Expiry,
		ExpiresIn:    .ExpiresIn,
		raw:          .Raw,
	}
}

// retrieveToken takes a *Config and uses that to retrieve an *internal.Token.
// This token is then mapped from *internal.Token into an *oauth2.Token which is returned along
// with an error.
func retrieveToken( context.Context,  *Config,  url.Values) (*Token, error) {
	,  := internal.RetrieveToken(, .ClientID, .ClientSecret, .Endpoint.TokenURL, , internal.AuthStyle(.Endpoint.AuthStyle), .authStyleCache.Get())
	if  != nil {
		if ,  := .(*internal.RetrieveError);  {
			return nil, (*RetrieveError)()
		}
		return nil, 
	}
	return tokenFromInternal(), nil
}

// RetrieveError is the error returned when the token endpoint returns a
// non-2XX HTTP status code or populates RFC 6749's 'error' parameter.
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
type RetrieveError struct {
	Response *http.Response
	// Body is the body that was consumed by reading Response.Body.
	// It may be truncated.
	Body []byte
	// ErrorCode is RFC 6749's 'error' parameter.
	ErrorCode string
	// ErrorDescription is RFC 6749's 'error_description' parameter.
	ErrorDescription string
	// ErrorURI is RFC 6749's 'error_uri' parameter.
	ErrorURI string
}

func ( *RetrieveError) () string {
	if .ErrorCode != "" {
		 := fmt.Sprintf("oauth2: %q", .ErrorCode)
		if .ErrorDescription != "" {
			 += fmt.Sprintf(" %q", .ErrorDescription)
		}
		if .ErrorURI != "" {
			 += fmt.Sprintf(" %q", .ErrorURI)
		}
		return 
	}
	return fmt.Sprintf("oauth2: cannot fetch token: %v\nResponse: %s", .Response.Status, .Body)
}