<?php
require_once('Models/AuthService.php');
require_once('Models/UserDataSet.php');
require_once('Models/User.php');

// Enable CORS with more restrictive settings
header('Access-Control-Allow-Origin: *'); // Would be set to domain. Move to .env file
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization');
header('Content-Type: application/json');

// Add security headers
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin-when-cross-origin');
header('Content-Security-Policy: default-src \'self\'');

// Handle OPTIONS request
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(200);
    exit;
}

try {
    $auth = new AuthService();
    $userDataSet = new UserDataSet();

    // Handle POST request for login
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $data = json_decode(file_get_contents('php://input'), true);
        
        // Handle CAPTCHA generation
        if (isset($data['action']) && $data['action'] === 'generateCaptcha') {
            // Generate a random 6-character CAPTCHA
            $captcha = substr(str_shuffle('0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 6);
            
            // Store CAPTCHA in session with timestamp
            session_start();
            $_SESSION['captcha'] = [
                'code' => $captcha,
                'timestamp' => time()
            ];
            
            echo json_encode(['captcha' => $captcha]);
            exit;
        }
        
        // Handle token refresh
        if (isset($data['action']) && $data['action'] === 'refresh') {
            if (!isset($data['refreshToken'])) {
                http_response_code(400);
                echo json_encode(['error' => 'Refresh token is required']);
                exit;
            }
            
            $refreshToken = $data['refreshToken'];
            $newToken = $auth->refreshToken($refreshToken);
            
            if (!$newToken) {
                http_response_code(401);
                echo json_encode(['error' => 'Invalid or expired refresh token']);
                exit;
            }
            
            echo json_encode([
                'success' => true,
                'token' => $newToken
            ]);
            exit;
        }
        
        // Handle login
        if (!isset($data['username']) || !isset($data['password'])) {
            http_response_code(400);
            echo json_encode(['error' => 'Username and password are required']);
            exit;
        }

        // Check if CAPTCHA is required
        session_start();
        $loginAttempts = $_SESSION['login_attempts'] ?? 0;
        
        if ($loginAttempts >= 3) {
            // Verify CAPTCHA if required
            if (!isset($data['captchaInput']) || !isset($_SESSION['captcha'])) {
                http_response_code(400);
                echo json_encode(['error' => 'CAPTCHA is required', 'captcha' => true]);
                exit;
            }
            
            // Check if CAPTCHA is expired (5 minutes)
            if (time() - $_SESSION['captcha']['timestamp'] > 300) {
                unset($_SESSION['captcha']);
                http_response_code(400);
                echo json_encode(['error' => 'CAPTCHA expired', 'captcha' => true]);
                exit;
            }
            
            // Verify CAPTCHA code
            if (strtoupper($data['captchaInput']) !== $_SESSION['captcha']['code']) {
                unset($_SESSION['captcha']);
                http_response_code(400);
                echo json_encode(['error' => 'Invalid CAPTCHA', 'captcha' => true]);
                exit;
            }
            
            // Clear CAPTCHA after successful verification
            unset($_SESSION['captcha']);
        }

        // Authenticate user
        $user = new User();
        $token = $user->Authenticate($data['username'], hash('sha256', $data['password']));

        if ($token) {
            // Reset login attempts on successful login
            $_SESSION['login_attempts'] = 0;
            
            // Generate refresh token
            $refreshToken = $auth->generateRefreshToken([
                'id' => $user->getUserId(),
                'username' => $user->getUsername(),
                'accessLevel' => $user->getAccessLevel()
            ]);

            echo json_encode([
                'success' => true,
                'token' => $token,
                'refreshToken' => $refreshToken,
                'user' => [
                    'id' => $user->getUserId(),
                    'username' => $user->getUsername(),
                    'accessLevel' => $user->getAccessLevel()
                ]
            ]);
        } else {
            // Increment login attempts
            $_SESSION['login_attempts'] = ($loginAttempts ?? 0) + 1;
            
            http_response_code(401);
            echo json_encode([
                'error' => 'Invalid credentials',
                'captcha' => $_SESSION['login_attempts'] >= 3
            ]);
        }
        exit;
    }

    // Handle GET request for token validation
    if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        $auth = User::checkAuth(false);
        
        if ($auth) {
            echo json_encode([
                'valid' => true, 
                'user' => [
                    'id' => $auth['uid'],
                    'username' => $auth['username'],
                    'accessLevel' => $auth['accessLevel']
                ]
            ]);
        } else {
            http_response_code(401);
            echo json_encode(['valid' => false, 'error' => 'Invalid or expired token']);
        }
        exit;
    }

    http_response_code(405);
    echo json_encode(['error' => 'Method not allowed']);

} catch (Exception $e) {
    error_log('Auth error: ' . $e->getMessage());
    http_response_code(500);
    echo json_encode(['error' => 'Server error', 'message' => $e->getMessage()]);
}