#!/bin/bash
# auth.sh
#
# only allow characters that are in a token or a token hash
username=$(echo "$username" | tr -dc 'a-zA-Z0-9-' )
case "${#username}" in
    128|127|126) hash=$username ;; # is a hash already (some routers cut off the last one or two bytes, so accounting for that)
    23) hash=$(echo -n "$username" | openssl sha512 | awk '{print $NF}') ;; # they didn't hash the token, so do it for them
    *)
        if [[ -n "$auth_failed_reason_file" ]]; then
            echo -e "TEMP[backoff 60,advance no]: !!! INVALID TOKEN LENGTH !!!" > "$auth_failed_reason_file"
        fi
        exit 1
        ;; # not the length of a token or a token hash, so reject
esac
result=$(timeout 8 wget -4 -T8 -qO- "https://[redacted]/?token=$hash")
# exit 0 if wget fails, in case the auth API server is down
if [ $? -ne 0 ]; then
    exit 0
fi
# process the result
case "$result" in
    exp)
        if [[ -n "$auth_failed_reason_file" ]]; then
            echo -e "TEMP[backoff 60,advance no]: !!! YOUR TOKEN HAS EXPIRED !!!" > "$auth_failed_reason_file"
        fi
        exit 1 # expired token
        ;;
    gud)
        exit 0 # success
        ;;
    *)
        if [[ "$result" == "max" ]]; then
            if [[ -n "$auth_failed_reason_file" ]]; then
                echo -e "TEMP[backoff 30,advance no]: !!! MAX SESSIONS REACHED FOR THAT TOKEN !!!" > "$auth_failed_reason_file"
            fi
        fi
        exit 1 # anything else is invalid
        ;;
esac