<?php

require_once("Models/User.php");
require_once("Models/AuthService.php");

// Enable CORS
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization');

// Handle OPTIONS request
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(200);
    exit;
}

// Create service objects
$authService = new AuthService();

// Start session for CAPTCHA handling only
if (session_status() === PHP_SESSION_NONE) {
    session_start();
}

// Handle AJAX requests
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest') {
    header('Content-Type: application/json');
    
    if (isset($_POST["action"])) {
        switch ($_POST["action"]) {
            case "login":
                $username = $_POST["username"];
                $password = hash("sha256", $_POST["password"]);
                
                // Check if CAPTCHA is required (after 3 failed attempts)
                $loginAttempts = isset($_SESSION['loginAttempts']) ? $_SESSION['loginAttempts'] : 0;
                
                if ($loginAttempts >= 3) {
                    // Validate CAPTCHA
                    if (!isset($_POST["captchaInput"]) || !isset($_SESSION['captcha']) || 
                        $_POST["captchaInput"] !== $_SESSION['captcha']) {
                        // Generate new CAPTCHA for next attempt
                        $captcha = substr(str_shuffle("ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"), 0, 5);
                        $_SESSION['captcha'] = $captcha;
                        echo json_encode([
                            "error" => "Incorrect CAPTCHA.",
                            "captcha" => $captcha
                        ]);
                        exit;
                    }
                    // Clear CAPTCHA after successful validation
                    unset($_SESSION['captcha']);
                }

                // Authenticate user
                $user = new User();
                $token = $user->Authenticate($username, $password);

                if ($token) {
                    // Reset login attempts on successful login
                    $_SESSION['loginAttempts'] = 0;
                    
                    // Generate refresh token
                    $refreshToken = $authService->generateRefreshToken([
                        'id' => $user->getUserId(),
                        'username' => $user->getUsername(),
                        'accessLevel' => $user->getAccessLevel()
                    ]);

                    echo json_encode([
                        'success' => true,
                        'token' => $token,
                        'refreshToken' => $refreshToken,
                        'user' => [
                            'id' => $user->getUserId(),
                            'username' => $user->getUsername(),
                            'accessLevel' => $user->getAccessLevel()
                        ],
                        'redirect' => '/'
                    ]);
                } else {
                    // Increment login attempts
                    $_SESSION['loginAttempts'] = $loginAttempts + 1;
                    
                    // If this failure triggers CAPTCHA, generate it
                    if ($_SESSION['loginAttempts'] >= 3) {
                        $captcha = substr(str_shuffle("ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"), 0, 5);
                        $_SESSION['captcha'] = $captcha;
                        echo json_encode([
                            "error" => "Invalid username or password.",
                            "captcha" => $captcha
                        ]);
                    } else {
                        echo json_encode(["error" => "Invalid username or password."]);
                    }
                }
                break;

            case "logout":
                // Clear session (only used for CAPTCHA)
                session_unset();
                session_destroy();
                
                echo json_encode([
                    "success" => true,
                    "redirect" => '/'
                ]);
                break;
                
            case "refresh":
                // Validate refresh token
                if (!isset($_POST['refreshToken'])) {
                    echo json_encode([
                        "valid" => false,
                        "error" => "No refresh token provided"
                    ]);
                    exit;
                }
                
                $refreshToken = $_POST['refreshToken'];
                $newToken = $authService->refreshToken($refreshToken);
                
                if ($newToken) {
                    echo json_encode([
                        "valid" => true,
                        "token" => $newToken
                    ]);
                } else {
                    echo json_encode([
                        "valid" => false,
                        "error" => "Invalid or expired refresh token"
                    ]);
                }
                break;
                
            case "validate":
                // Validate JWT token using the simplified approach
                $auth = User::checkAuth(false);
                
                if ($auth) {
                    echo json_encode([
                        "valid" => true,
                        "user" => [
                            "id" => $auth['uid'],
                            "username" => $auth['username'],
                            "accessLevel" => $auth['accessLevel']
                        ]
                    ]);
                } else {
                    echo json_encode([
                        "valid" => false
                    ]);
                }
                break;
        }
        exit;
    }
}