#!/bin/bash
# test-token-refresh.sh — Test if the current refresh token can get a new access token
# Does NOT write any files — read-only test

set -euo pipefail

TOKEN_URL="https://console.anthropic.com/v1/oauth/token"
CLIENT_ID="9d1c250a-e61b-44d9-88ed-5944d1962f5e"

# Find credentials file
CREDS_FILE="${1:-}"
if [ -z "$CREDS_FILE" ]; then
    for path in \
        /root/.openclaw/workspaces/workspace-claude-proxy/config/.claude/.credentials.json \
        /root/.claude/.credentials.json \
        "$HOME/.claude/.credentials.json"; do
        if [ -f "$path" ]; then
            CREDS_FILE="$path"
            break
        fi
    done
fi

if [ -z "$CREDS_FILE" ] || [ ! -f "$CREDS_FILE" ]; then
    echo "ERROR: No credentials file found. Provide path as argument."
    exit 1
fi

echo "Credentials file: $CREDS_FILE"

# Extract refresh token
REFRESH_TOKEN=$(python3 -c "
import json
with open('$CREDS_FILE') as f:
    d = json.load(f)
print(d['claudeAiOauth']['refreshToken'])
")

echo "Refresh token: ${REFRESH_TOKEN:0:20}..."
echo ""
echo "Testing refresh endpoint..."

RESPONSE=$(curl -s -X POST "$TOKEN_URL" \
    -H "Content-Type: application/json" \
    -d "{\"grant_type\":\"refresh_token\",\"refresh_token\":\"$REFRESH_TOKEN\",\"client_id\":\"$CLIENT_ID\"}")

python3 -c "
import json, sys

resp = json.loads('''$RESPONSE''')

if 'access_token' in resp:
    print('SUCCESS')
    print(f'  New access token: {resp[\"access_token\"][:20]}...')
    print(f'  Expires in: {resp[\"expires_in\"] // 3600}h')
    account = resp.get('account', {}).get('email_address', 'unknown')
    print(f'  Account: {account}')
else:
    print('FAILED')
    print(f'  Error: {resp.get(\"error\", \"unknown\")}')
    print(f'  Description: {resp.get(\"error_description\", \"unknown\")}')
    sys.exit(1)
"

echo ""
echo "Note: This was a read-only test. No files were modified."