#!/bin/bash
# auth.sh
#
# only allow characters that are in a token or a token hash
username=$(echo "$username" | tr -dc 'a-zA-Z0-9-' )
case "${#username}" in
    128|127|126) hash=$username ;; # is a hash already (some routers cut off the last one or two bytes, so accounting for that)
    23) hash=$(echo -n "$username" | openssl sha512 | awk '{print $NF}') ;; # they didn't hash the token, so do it for them
    *) exit 1 ;; # not the length of a token or a token hash, so reject
esac
# check if token is valid and not expired
result=$(timeout 8 wget -4 -T8 -qO- "https://[redacted]?token=$hash")
# exit 0 if wget fails, in case the auth API server is down
if [ $? -ne 0 ]; then
    exit 0
fi
# process the result
case "$result" in
    expired) exit 1 ;;  # token expired
    good)    exit 0 ;;  # token is valid
    *)       exit 1 ;;  # anything else is invalid
esac