<?php

require_once __DIR__ . '/../vendor/autoload.php';

use Jakach\Logging\Storage\Database;
use Jakach\Logging\Storage\Repository;

$logFile = '/tmp/oauth_debug.log';
file_put_contents($logFile, date('c') . " oauth.php called\n", FILE_APPEND);
file_put_contents($logFile, "GET: " . json_encode($_GET) . "\n", FILE_APPEND);

session_set_cookie_params([
    'lifetime' => 86400 * 7,
    'path' => '/',
    'httponly' => true,
    'samesite' => 'Lax',
]);
session_start();

$authToken = $_GET['auth'] ?? '';
$errorRedirect = $_GET['redirect'] ?? '/';

file_put_contents($logFile, "authToken: $authToken\n", FILE_APPEND);

if (!$authToken) {
    $_SESSION['auth_error'] = 'Missing authentication token.';
    file_put_contents($logFile, "ERROR: missing auth token\n", FILE_APPEND);
    header('Location: ' . $errorRedirect);
    exit;
}

$checkUrl = 'https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=' . urlencode($authToken);
file_put_contents($logFile, "checkUrl: $checkUrl\n", FILE_APPEND);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $checkUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$curlError = curl_error($ch);
curl_close($ch);

file_put_contents($logFile, "httpCode: $httpCode response: " . substr($response, 0, 500) . " curlError: $curlError\n", FILE_APPEND);

if ($httpCode !== 200 || !$response) {
    $_SESSION['auth_error'] = "Auth server unreachable ($httpCode)";
    file_put_contents($logFile, "ERROR: bad response $httpCode\n", FILE_APPEND);
    header('Location: ' . $errorRedirect);
    exit;
}

$data = json_decode($response, true);

if (!isset($data['status']) || $data['status'] !== 'success') {
    $_SESSION['auth_error'] = 'Authentication failed: ' . ($data['msg'] ?? 'Unknown error');
    file_put_contents($logFile, "ERROR: auth failed: " . json_encode($data) . "\n", FILE_APPEND);
    header('Location: ' . $errorRedirect);
    exit;
}

$userToken = $data['user_token'] ?? '';
file_put_contents($logFile, "Auth success, user_token: $userToken\n", FILE_APPEND);

$db = new Database();
$repo = new Repository($db);

$allowedTokens = $repo->getAllowedUserTokens();
file_put_contents($logFile, "allowedTokens: " . json_encode($allowedTokens) . "\n", FILE_APPEND);

if (empty($allowedTokens)) {
    file_put_contents($logFile, "First user, adding to allowed tokens\n", FILE_APPEND);
    $repo->setAllowedUserTokens([$userToken]);
} elseif (!in_array($userToken, $allowedTokens, true)) {
    $_SESSION['auth_error'] = 'Your Jakach account is not authorized to access this system. Contact an administrator.';
    file_put_contents($logFile, "ERROR: user not allowed\n", FILE_APPEND);
    header('Location: ' . $errorRedirect);
    exit;
}

$_SESSION['loggedin'] = true;
$_SESSION['username'] = $data['username'] ?? 'unknown';
$_SESSION['id'] = $data['id'] ?? '';
$_SESSION['email'] = $data['email'] ?? '';
$_SESSION['telegram_id'] = $data['telegram_id'] ?? '';
$_SESSION['user_token'] = $userToken;
unset($_SESSION['auth_error']);

file_put_contents($logFile, "Session set, redirecting to: $errorRedirect\n", FILE_APPEND);

$redirect = $_GET['redirect'] ?? '/';
header('Location: ' . $redirect);
exit;