func (c *apiContext) HealthMiddleware(rw web.ResponseWriter, r *web.Request, next web.NextMiddlewareFunc) {
	c.Job = c.hd.stream.NewJob(r.RoutePath())

	path := r.URL.Path
	c.EventKv("starting_request", health.Kvs{"path": path})

	next(rw, r)

	code := rw.StatusCode()
	kvs := health.Kvs{
		"code": fmt.Sprint(code),
		"path": path,
	}

	// Map HTTP status code to category.
	var status health.CompletionStatus
	// if c.Panic {
	// 	status = health.Panic
	// } else
	if code < 400 {
		status = health.Success
	} else if code == 422 {
		status = health.ValidationError
	} else if code < 500 {
		status = health.Junk // 404, 401
	} else {
		status = health.Error
	}
	c.CompleteKv(status, kvs)
}

func (c *Context) Log(rw web.ResponseWriter, r *web.Request, next web.NextMiddlewareFunc) {
	c.Job = stream.NewJob(r.RoutePath())

	id, err := uuid.NewV4()
	if err == nil {
		c.Job.KeyValue("request-id", id.String())
	}

	path := r.URL.Path
	c.Job.EventKv("api.request", health.Kvs{"path": path})

	next(rw, r)

	code := rw.StatusCode()
	kvs := health.Kvs{
		"code": fmt.Sprint(code),
		"path": path,
	}

	// Map HTTP status code to category.
	var status health.CompletionStatus
	if c.Panic {
		status = health.Panic
	} else if code < 400 {
		status = health.Success
	} else if code == 422 {
		status = health.ValidationError
	} else if code < 500 {
		status = health.Junk // 404, 401
	} else {
		status = health.Error
	}
	c.Job.CompleteKv(status, kvs)
}

func GetJobIdsFrom(request *web.Request) (jobIds []string, err error) {
	jobIdsString := request.FormValue("jobIds")
	if jobIdsString == "" {
		err = &ServerError{"Missing path parameter 'jobIds', e.g. ?jobIds=id1,id2,my-big-job"}
		return
	}
	jobIds = strings.Split(jobIdsString, ",")
	return
}

func (c *context) authAccess(rw web.ResponseWriter, req *web.Request, next web.NextMiddlewareFunc) {
	log.Printf("INFO: authAccess %s/%s, %v", c.namespace, c.repo, c.authReq.Actions)

	username, password, ok := req.BasicAuth()

	if c.authReq.Account != "" && c.authReq.Account != username {
		http.Error(rw, "account is not same as login user", http.StatusForbidden)
		return
	}

	var _username acl.Username

	if ok {
		_username = acl.Username(username)
	} else {
		_username = acl.Anonymous
	}

	ok, err := runningContext.Acl.CanLogin(_username, acl.Password(password))

	if err != nil {
		http.Error(rw, err.Error(), http.StatusInternalServerError)
		return
	}

	if !ok {

		if _username == acl.Anonymous {
			http.Error(rw, "", http.StatusUnauthorized)
		} else {
			http.Error(rw, "", http.StatusForbidden)
		}

		return
	}

	// check actions
	for _, v := range c.permsWant {

		p := accessMap[v]

		ok, err := runningContext.Acl.CanAccess(_username, c.namespace, c.repo, p)

		if err != nil {
			http.Error(rw, err.Error(), http.StatusInternalServerError)
			return
		}

		if ok {
			c.authReq.Actions = append(c.authReq.Actions, v)
		}
	}

	sort.Strings(c.authReq.Actions)

	next(rw, req)
}

// FIXME: combine presence validation of path params and form value
// FIXME: this is case sensitive which is wrong
func validatePresenceRequest(r *web.Request, keys ...string) bool {
	ok := true
	for _, k := range keys {
		if r.FormValue(k) == "" {
			ok = false
			break
		}
	}
	return ok
}

func (c *Context) DoPasswordResetRequestHandler(rw web.ResponseWriter, req *web.Request) {

	req.ParseForm()

	var p ResetPasswordForm

	if err := decoder.Decode(&p, req.PostForm); err != nil {
		c.SetErrorMessage(rw, req, "Decoding error: "+err.Error())
		http.Redirect(rw, req.Request, ResetPasswordUrl.Make(), http.StatusSeeOther)
		return
	}

	accountIdStr, ok := req.PathParams["accountId"]
	if !ok {
		http.Error(rw, "400: Bad account ID", http.StatusBadRequest)
		//next(rw, req)
		return
	}

	resetVerificationCode, ok := req.PathParams["resetVerificationCode"]
	if !ok {
		http.Error(rw, "400: Bad verification code", http.StatusBadRequest)
		return
	}

	if p.Password != p.ConfirmPassword {
		c.SetErrorMessage(rw, req, "Your passwords don't match!")
		http.Redirect(rw, req.Request, ResetPasswordUrl.Make("accountId", accountIdStr, "resetVerificationCode", resetVerificationCode), http.StatusSeeOther)
		return
	}

	//get the account ID from the URL
	accountId, err := strconv.ParseInt(accountIdStr, 10, 64)
	if err != nil {
		http.Error(rw, "400: Bad account ID", http.StatusBadRequest)
		return
	}

	a, err := c.Storage.LoadAccountFromId(accountId)
	if err != nil {
		http.Error(rw, "404: Account not found", http.StatusNotFound)
		return
	}

	if err := a.ApplyPasswordResetVerificationCode(c.Storage, resetVerificationCode, p.Password); err != nil {
		c.SetErrorMessage(rw, req, err.Error())
		http.Redirect(rw, req.Request, ResetPasswordUrl.Make("accountId", accountIdStr, "resetVerificationCode", resetVerificationCode), http.StatusSeeOther)
		return
	}

	c.SetNotificationMessage(rw, req, "Password reset - you may now sign in!")
	http.Redirect(rw, req.Request, HomeUrl.Make(), http.StatusFound)
}

func (c *ApiContext) ValidateAwsCredentials(rw web.ResponseWriter, r *web.Request, next web.NextMiddlewareFunc) {
	if ok := validatePresenceRequest(r, "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY"); !ok {
		rw.WriteHeader(http.StatusUnauthorized)
		writeJson(rw, map[string]string{
			"error": "missing credentials",
		})
	} else {
		creds := credentials.NewStaticCredentials(r.FormValue("AWS_ACCESS_KEY_ID"), r.FormValue("AWS_SECRET_ACCESS_KEY"), "")
		c.AwsCredentials = creds
		next(rw, r)
	}
}

func (this *RequestHandler) writeSendingFailuresToFile(response web.ResponseWriter, request *web.Request) (err error) {
	targetFile := request.FormValue("targetFile")
	if targetFile == "" {
		return &ServerError{"targetFile must not be empty"}
	}

	jobIds, err := GetJobIdsFrom(request)
	if err != nil {
		return
	}

	err = this.Repository.WriteSendingFailuresToFile(targetFile, jobIds)
	return
}

func (c *Context) convertSQL(rw web.ResponseWriter, req *web.Request) {

	// Check for POST
	if req.Request.Method == "POST" {
		req.ParseForm()
		c.RawSQL = req.Request.FormValue("clsql")
		c.ConvertedSQL = Convert(c.RawSQL)
	} else {
		// Add default
		c.RawSQL = defaultRawSQL
	}

	rend.HTML(rw, http.StatusOK, "index", c)
}

// MeshbluAuth checks auth headers and puts them into the context
func (context *AuthContext) MeshbluAuth(response web.ResponseWriter, request *web.Request, next web.NextMiddlewareFunc) {
	if request.URL.Path == "/healthcheck" {
		next(response, request)
		return
	}
	uuid, token, ok := request.BasicAuth()
	if !ok {
		response.WriteHeader(http.StatusForbidden)
		fmt.Fprint(response, `{"error": "Not Authorized"}`)
		return
	}
	context.uuid = uuid
	context.token = token
	next(response, request)
}

func (c *context) authAccess(rw web.ResponseWriter, req *web.Request, next web.NextMiddlewareFunc) {
	username, password, ok := req.BasicAuth()

	if ok {

		if c.authReq.Account != "" && c.authReq.Account != username {
			http.Error(rw, "account is not same as login user", http.StatusForbidden)
			return
		}

		ok, err := runningContext.Acl.CanLogin(acl.Username(username), acl.Password(password))

		if !ok {
			http.Error(rw, "", http.StatusForbidden)
			return
		}

		if err != nil {
			http.Error(rw, err.Error(), http.StatusInternalServerError)
			return
		}

		// check actions
		for _, v := range c.authReq.Actions {

			p := accessMap[v]

			ok, err := runningContext.Acl.CanAccess(acl.Username(username), c.namespace, c.repo, p)

			if err != nil {
				http.Error(rw, err.Error(), http.StatusInternalServerError)
				return
			}

			if !ok {
				http.Error(rw, "", http.StatusForbidden)
				return
			}
		}

		next(rw, req)
		return
	}

	http.Error(rw, "", http.StatusUnauthorized)
}

func (c *Context) DoBeginPasswordResetRequestHandler(rw web.ResponseWriter, req *web.Request) {
	req.ParseForm()

	var p PasswordResetRequestForm

	if err := decoder.Decode(&p, req.PostForm); err != nil {
		c.SetErrorMessage(rw, req, "Decoding error: "+err.Error())
		http.Redirect(rw, req.Request, ResetPasswordUrl.Make(), http.StatusSeeOther)
		return
	}

	account.DoPasswordResetRequestIfPossible(c.Storage, p.Email)

	c.SetNotificationMessage(rw, req, "Password reset requested.")
	http.Redirect(rw, req.Request, HomeUrl.Make(), http.StatusFound)

}

func (c *context) parseRequest(rw web.ResponseWriter, req *web.Request, next web.NextMiddlewareFunc) {

	// GET /v2/token/?service=registry.docker.com&scope=repository:samalba/my-app:push&account=jlhawn HTTP/1.1
	c.authReq.Account = req.FormValue("account")

	c.authReq.Service = req.FormValue("service")

	scope := req.FormValue("scope")

	if scope != "" {
		parts := strings.Split(scope, ":")
		if len(parts) != 3 {
			http.Error(rw, fmt.Sprintf("invalid scope: %q", scope), http.StatusBadRequest)
			return
		}

		c.authReq.Type = parts[0]
		c.authReq.Name = parts[1]

		if strings.Contains(parts[1], "/") {
			nr := strings.SplitN(parts[1], "/", 2)

			c.namespace = nr[0]
			c.repo = nr[1]
		} else {
			c.namespace = "library"
			c.repo = parts[1]
		}

		c.permsWant = strings.Split(parts[2], ",")
	}

	next(rw, req)
}

func (ctx *Context) SignupPost(w web.ResponseWriter, r *web.Request) {
	user := &models.User{
		Name:     r.FormValue("name"),
		Email:    r.FormValue("email"),
		Password: r.FormValue("password"),
	}
	Render.HTML(w, http.StatusOK, "signup", PageData{"Title": "Sign up right NOW!!!", "User": user})
}

func (c *Context) DoCreateFactHandler(rw web.ResponseWriter, req *web.Request) {

	req.ParseForm()

	var f fact.Fact

	if err := decoder.Decode(&f, req.PostForm); err != nil {
		c.SetErrorMessage(rw, req, "Decoding error: "+err.Error())
		http.Redirect(rw, req.Request, CreateFactUrl.Make(), http.StatusSeeOther)
		return
	}

	f.AccountId = c.Account.Id

	if err := fact.CreateFact(c.Storage, &f); err != nil {
		c.SetFailedRequestObject(rw, req, f)
		c.SetErrorMessage(rw, req, err.Error())
		http.Redirect(rw, req.Request, CreateFactUrl.Make(), http.StatusSeeOther)
		return
	}

	c.SetNotificationMessage(rw, req, "Fact submitted successfully!")
	http.Redirect(rw, req.Request, ViewFactUrl.Make("factId", strconv.FormatInt(f.Id, 10)), http.StatusFound)
}

func (c *Context) DoSignUpHandler(rw web.ResponseWriter, req *web.Request) {

	req.ParseForm()

	var u CreateAccount

	if err := decoder.Decode(&u, req.PostForm); err != nil {
		c.SetErrorMessage(rw, req, "Decoding error: "+err.Error())
		http.Redirect(rw, req.Request, SignUpUrl.Make(), http.StatusSeeOther)
		return
	}

	if u.Password != u.ConfirmPassword {
		c.SetFailedRequestObject(rw, req, u)
		c.SetErrorMessage(rw, req, "Your passwords don't match!")
		http.Redirect(rw, req.Request, SignUpUrl.Make(), http.StatusSeeOther)
		return
	}

	if u.TermsCB != true {
		c.SetFailedRequestObject(rw, req, u)
		c.SetErrorMessage(rw, req, "You must accept the terms and conditions!")
		http.Redirect(rw, req.Request, SignUpUrl.Make(), http.StatusSeeOther)
		return
	}

	if err := account.CheckAndCreateAccount(c.Storage, u.Email, u.Password, u.Nickname); err != nil {
		c.SetFailedRequestObject(rw, req, u)
		c.SetErrorMessage(rw, req, err.Error())
		http.Redirect(rw, req.Request, SignUpUrl.Make(), http.StatusSeeOther)
		return
	}

	c.SetNotificationMessage(rw, req, "Your account has been created. Please wait for your verification email, verify, and then you can sign in!")
	http.Redirect(rw, req.Request, HomeUrl.Make(), http.StatusFound)
}

func (c *Context) DoSignInRequestHandler(rw web.ResponseWriter, req *web.Request) {
	req.ParseForm()

	var prop LoginRequestForm
	if err := decoder.Decode(&prop, req.PostForm); err != nil {
		c.SetErrorMessage(rw, req, "Decoding error: "+err.Error())
		http.Redirect(rw, req.Request, SignUpUrl.Make(), http.StatusSeeOther)
		return
	}

	propUser, err := account.AttemptLogin(c.Storage, prop.Email, prop.Password, prop.Remember)

	if propUser != nil {
		//they have passed the login check. Save them to the session and redirect to management portal
		session, _ := c.Store.Get(req.Request, "session-security")
		session.Values["sessionId"] = propUser.CurrentSession.String
		c.SetNotificationMessage(rw, req, "Hi, "+propUser.Nickname+".")
		session.Save(req.Request, rw)
		http.Redirect(rw, req.Request, HomeUrl.Make(), http.StatusFound)
		return
	}
	c.SetErrorMessage(rw, req, err.Error())
	http.Redirect(rw, req.Request, HomeUrl.Make(), http.StatusSeeOther)
}

func (c *context) authAccess(rw web.ResponseWriter, req *web.Request, next web.NextMiddlewareFunc) {

	// Authorization: Token signature=123,repository="library/test",access=write
	a, ok := req.Header["Authorization"]

	if ok {
		m := make(map[string]string)

		s := strings.TrimLeft(a[0], "Token ")

		for _, p := range strings.Split(s, ",") {

			kv := strings.Split(p, "=")

			k := kv[0]
			v := kv[1]

			m[k] = v
		}

		nr := strings.SplitN(strings.Trim(m["repository"], `"`), "/", 2)

		m["namespace"] = nr[0]
		m["repo"] = nr[1]

		if c.checkSignature(nr[0], nr[1], m["signature"], m["access"]) {
			next(rw, req)
			return
		}

	}

	// Authorization: Basic
	username, password, ok := req.BasicAuth()

	var _username acl.Username

	if ok {
		_username = acl.Username(username)
	} else {
		_username = acl.Anonymous
	}

	// TODO should move to a separate func
	// happens when login
	if c.namespace == "" || c.repo == "" {

		// Anonymous cant login
		if _username == acl.Anonymous {
			http.Error(rw, "", http.StatusUnauthorized)
		}

		return
	}

	ok, err := runningContext.Acl.CanLogin(_username, acl.Password(password))

	if err != nil {
		http.Error(rw, err.Error(), http.StatusInternalServerError)
		return
	}

	if !ok {

		if _username == acl.Anonymous {
			http.Error(rw, "", http.StatusUnauthorized)
		} else {
			http.Error(rw, "", http.StatusForbidden)
		}

		return
	}

	// TODO remove this scope
	{
		a, ok := accessMap[req.Method]

		if !ok {
			http.Error(rw, "", http.StatusMethodNotAllowed)
			return
		}

		ok, err = runningContext.Acl.CanAccess(_username, c.namespace, c.repo, a.Permission)

		if err != nil {
			http.Error(rw, err.Error(), http.StatusInternalServerError)
			return
		}

		if !ok {
			http.Error(rw, "", http.StatusForbidden)
			return
		}
	}

	next(rw, req)
}