<?php
include "../utils/security.php";
secure_session_start();
require_same_origin_request();
require_csrf_token();
header('Content-Type: application/json');
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
	json_response(['success' => false, 'message' => 'Invalid request method.'], 405);
}
$send_to=$_SESSION["end_url"];

include "../../config/config.php";
include "../utils/generate_pin.php";
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);

$username=$_SESSION["username"];
check_rate_limit($conn, 'login_mfa', 5, 10 * 60, $username);
$sql="SELECT 2fa FROM users WHERE username = ?";
$stmt = mysqli_prepare($conn, $sql);
mysqli_stmt_bind_param($stmt, 's', $username);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
$twofa_secret="";
mysqli_stmt_bind_result($stmt, $twofa_secret);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
$twofa_pin=$_POST["twofa_pin"] ?? "";

if($twofa_secret !== "" && hash_equals(generateTOTP($twofa_secret), $twofa_pin)){
	$_SESSION["mfa_authenticated"]=1;
	session_regenerate_id(true);
	clear_rate_limit($conn, 'login_mfa', $username);
	$data = [
		'status' => 'success'
	];
	echo(json_encode($data));
}else{
        $data = [
                'status' => 'failure'
        ];
        echo(json_encode($data));
}


?>