{-# LANGUAGE DataKinds                   #-}
{-# LANGUAGE DeriveGeneric               #-}
{-# LANGUAGE FlexibleInstances           #-}
{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
{-# LANGUAGE LambdaCase                  #-}
{-# LANGUAGE NoImplicitPrelude           #-}
{-# LANGUAGE OverloadedStrings           #-}
{-# LANGUAGE RecordWildCards             #-}
{-# LANGUAGE TypeFamilies                #-}

{-# OPTIONS_GHC -fno-warn-unused-imports #-}

-- Module      : Network.AWS.CognitoIdentity.GetOpenIdTokenForDeveloperIdentity
-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
-- License     : This Source Code Form is subject to the terms of
--               the Mozilla Public License, v. 2.0.
--               A copy of the MPL can be found in the LICENSE file or
--               you can obtain it at http://mozilla.org/MPL/2.0/.
-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
-- Stability   : experimental
-- Portability : non-portable (GHC extensions)
--
-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- | Registers (or retrieves) a Cognito 'IdentityId' and an OpenID Connect token for
-- a user authenticated by your backend authentication process. Supplying
-- multiple logins will create an implicit linked account. You can only specify
-- one developer provider as part of the 'Logins' map, which is linked to the
-- identity pool. The developer provider is the "domain" by which Cognito will
-- refer to your users.
--
-- You can use 'GetOpenIdTokenForDeveloperIdentity' to create a new identity and
-- to link new logins (that is, user credentials issued by a public provider or
-- developer provider) to an existing identity. When you want to create a new
-- identity, the 'IdentityId' should be null. When you want to associate a new
-- login with an existing authenticated/unauthenticated identity, you can do so
-- by providing the existing 'IdentityId'. This API will create the identity in
-- the specified 'IdentityPoolId'.
--
-- <http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html>
module Network.AWS.CognitoIdentity.GetOpenIdTokenForDeveloperIdentity
    (
    -- * Request
      GetOpenIdTokenForDeveloperIdentity
    -- ** Request constructor
    , getOpenIdTokenForDeveloperIdentity
    -- ** Request lenses
    , goitfdiIdentityId
    , goitfdiIdentityPoolId
    , goitfdiLogins
    , goitfdiTokenDuration

    -- * Response
    , GetOpenIdTokenForDeveloperIdentityResponse
    -- ** Response constructor
    , getOpenIdTokenForDeveloperIdentityResponse
    -- ** Response lenses
    , goitfdirIdentityId
    , goitfdirToken
    ) where

import Network.AWS.Data (Object)
import Network.AWS.Prelude
import Network.AWS.Request.JSON
import Network.AWS.CognitoIdentity.Types
import qualified GHC.Exts

data GetOpenIdTokenForDeveloperIdentity = GetOpenIdTokenForDeveloperIdentity
    { _goitfdiIdentityId     :: Maybe Text
    , _goitfdiIdentityPoolId :: Text
    , _goitfdiLogins         :: Map Text Text
    , _goitfdiTokenDuration  :: Maybe Nat
    } deriving (Eq, Read, Show)

-- | 'GetOpenIdTokenForDeveloperIdentity' constructor.
--
-- The fields accessible through corresponding lenses are:
--
-- * 'goitfdiIdentityId' @::@ 'Maybe' 'Text'
--
-- * 'goitfdiIdentityPoolId' @::@ 'Text'
--
-- * 'goitfdiLogins' @::@ 'HashMap' 'Text' 'Text'
--
-- * 'goitfdiTokenDuration' @::@ 'Maybe' 'Natural'
--
getOpenIdTokenForDeveloperIdentity :: Text -- ^ 'goitfdiIdentityPoolId'
                                   -> GetOpenIdTokenForDeveloperIdentity
getOpenIdTokenForDeveloperIdentity p1 = GetOpenIdTokenForDeveloperIdentity
    { _goitfdiIdentityPoolId = p1
    , _goitfdiIdentityId     = Nothing
    , _goitfdiLogins         = mempty
    , _goitfdiTokenDuration  = Nothing
    }

-- | A unique identifier in the format REGION:GUID.
goitfdiIdentityId :: Lens' GetOpenIdTokenForDeveloperIdentity (Maybe Text)
goitfdiIdentityId =
    lens _goitfdiIdentityId (\s a -> s { _goitfdiIdentityId = a })

-- | An identity pool ID in the format REGION:GUID.
goitfdiIdentityPoolId :: Lens' GetOpenIdTokenForDeveloperIdentity Text
goitfdiIdentityPoolId =
    lens _goitfdiIdentityPoolId (\s a -> s { _goitfdiIdentityPoolId = a })

-- | A set of optional name-value pairs that map provider names to provider
-- tokens. Each name-value pair represents a user from a public provider or
-- developer provider. If the user is from a developer provider, the name-value
-- pair will follow the syntax '"developer_provider_name":"developer_user_identifier"'. The developer provider is the "domain" by which
-- Cognito will refer to your users; you provided this domain while
-- creating/updating the identity pool. The developer user identifier is an
-- identifier from your backend that uniquely identifies a user. When you create
-- an identity pool, you can specify the supported logins.
goitfdiLogins :: Lens' GetOpenIdTokenForDeveloperIdentity (HashMap Text Text)
goitfdiLogins = lens _goitfdiLogins (\s a -> s { _goitfdiLogins = a }) . _Map

-- | The expiration time of the token, in seconds. You can specify a custom
-- expiration time for the token so that you can cache it. If you don't provide
-- an expiration time, the token is valid for 15 minutes. You can exchange the
-- token with Amazon STS for temporary AWS credentials, which are valid for a
-- maximum of one hour. The maximum token duration you can set is 24 hours. You
-- should take care in setting the expiration time for a token, as there are
-- significant security implications: an attacker could use a leaked token to
-- access your AWS resources for the token's duration.
goitfdiTokenDuration :: Lens' GetOpenIdTokenForDeveloperIdentity (Maybe Natural)
goitfdiTokenDuration =
    lens _goitfdiTokenDuration (\s a -> s { _goitfdiTokenDuration = a })
        . mapping _Nat

data GetOpenIdTokenForDeveloperIdentityResponse = GetOpenIdTokenForDeveloperIdentityResponse
    { _goitfdirIdentityId :: Maybe Text
    , _goitfdirToken      :: Maybe Text
    } deriving (Eq, Ord, Read, Show)

-- | 'GetOpenIdTokenForDeveloperIdentityResponse' constructor.
--
-- The fields accessible through corresponding lenses are:
--
-- * 'goitfdirIdentityId' @::@ 'Maybe' 'Text'
--
-- * 'goitfdirToken' @::@ 'Maybe' 'Text'
--
getOpenIdTokenForDeveloperIdentityResponse :: GetOpenIdTokenForDeveloperIdentityResponse
getOpenIdTokenForDeveloperIdentityResponse = GetOpenIdTokenForDeveloperIdentityResponse
    { _goitfdirIdentityId = Nothing
    , _goitfdirToken      = Nothing
    }

-- | A unique identifier in the format REGION:GUID.
goitfdirIdentityId :: Lens' GetOpenIdTokenForDeveloperIdentityResponse (Maybe Text)
goitfdirIdentityId =
    lens _goitfdirIdentityId (\s a -> s { _goitfdirIdentityId = a })

-- | An OpenID token.
goitfdirToken :: Lens' GetOpenIdTokenForDeveloperIdentityResponse (Maybe Text)
goitfdirToken = lens _goitfdirToken (\s a -> s { _goitfdirToken = a })

instance ToPath GetOpenIdTokenForDeveloperIdentity where
    toPath = const "/"

instance ToQuery GetOpenIdTokenForDeveloperIdentity where
    toQuery = const mempty

instance ToHeaders GetOpenIdTokenForDeveloperIdentity

instance ToJSON GetOpenIdTokenForDeveloperIdentity where
    toJSON GetOpenIdTokenForDeveloperIdentity{..} = object
        [ "IdentityPoolId" .= _goitfdiIdentityPoolId
        , "IdentityId"     .= _goitfdiIdentityId
        , "Logins"         .= _goitfdiLogins
        , "TokenDuration"  .= _goitfdiTokenDuration
        ]

instance AWSRequest GetOpenIdTokenForDeveloperIdentity where
    type Sv GetOpenIdTokenForDeveloperIdentity = CognitoIdentity
    type Rs GetOpenIdTokenForDeveloperIdentity = GetOpenIdTokenForDeveloperIdentityResponse

    request  = post "GetOpenIdTokenForDeveloperIdentity"
    response = jsonResponse

instance FromJSON GetOpenIdTokenForDeveloperIdentityResponse where
    parseJSON = withObject "GetOpenIdTokenForDeveloperIdentityResponse" $ \o -> GetOpenIdTokenForDeveloperIdentityResponse
        <$> o .:? "IdentityId"
        <*> o .:? "Token"