<?php
// ============================================
// MakLinkApp – backend/api/login.php
// Handles credential login + MFA verification
// ============================================

header('Content-Type: application/json');
header('Access-Control-Allow-Origin: https://maklinkapp.tfsbd.com');
header('Access-Control-Allow-Methods: POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization');

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { http_response_code(204); exit; }
if ($_SERVER['REQUEST_METHOD'] !== 'POST')   { respond(405, 'Method not allowed'); }

require_once '../config/db_connect.php';
require_once '../config/settings.php';

$data = json_decode(file_get_contents('php://input'), true);
$action = $data['action'] ?? 'login';

// ---- Step 1: Credential login ----
if ($action === 'login') {
    $email    = filter_var($data['email'] ?? '', FILTER_SANITIZE_EMAIL);
    $password = $data['password'] ?? '';

    if (!$email || !$password) { respond(400, 'Email and password are required'); }

    $stmt = $pdo->prepare("SELECT id, name, role, password_hash, mfa_enabled FROM users WHERE email = ? AND active = 1 LIMIT 1");
    $stmt->execute([$email]);
    $user = $stmt->fetch(PDO::FETCH_ASSOC);

    if (!$user || !password_verify($password, $user['password_hash'])) {
        respond(401, 'Invalid credentials');
    }

    // Log login attempt
    $pdo->prepare("INSERT INTO login_log (user_id, ip, action, created_at) VALUES (?,?,?,NOW())")
        ->execute([$user['id'], $_SERVER['REMOTE_ADDR'], 'login_attempt']);

    if ($user['mfa_enabled']) {
        // Generate OTP and send via email
        $otp = rand(100000, 999999);
        $expires = date('Y-m-d H:i:s', time() + 300); // 5 min
        $pdo->prepare("UPDATE users SET otp_code = ?, otp_expires = ? WHERE id = ?")
            ->execute([$otp, $expires, $user['id']]);
        sendOTPEmail($user['email'] ?? $email, $otp); // defined in settings.php
        respond(200, 'MFA required', ['mfa_required' => true, 'user_id' => $user['id']]);
    }

    respond(200, 'Login successful', [
        'token'    => generateJWT($user),
        'user'     => ['id' => $user['id'], 'name' => $user['name'], 'role' => $user['role']],
        'redirect' => '/dashboard.html'
    ]);
}

// ---- Step 2: MFA verification ----
if ($action === 'verify_mfa') {
    $user_id = (int)($data['user_id'] ?? 0);
    $otp     = $data['otp'] ?? '';

    $stmt = $pdo->prepare("SELECT id, name, role, otp_code, otp_expires FROM users WHERE id = ? LIMIT 1");
    $stmt->execute([$user_id]);
    $user = $stmt->fetch(PDO::FETCH_ASSOC);

    if (!$user) { respond(404, 'User not found'); }
    if ($user['otp_code'] !== $otp || strtotime($user['otp_expires']) < time()) {
        respond(401, 'Invalid or expired OTP');
    }

    // Clear OTP
    $pdo->prepare("UPDATE users SET otp_code = NULL, otp_expires = NULL WHERE id = ?")->execute([$user['id']]);

    respond(200, 'MFA verified', [
        'token'    => generateJWT($user),
        'user'     => ['id' => $user['id'], 'name' => $user['name'], 'role' => $user['role']],
        'redirect' => '/dashboard.html'
    ]);
}

respond(400, 'Unknown action');

// ---- Helpers ----
function respond(int $code, string $message, array $data = []): never {
    http_response_code($code);
    echo json_encode(['status' => $code < 400 ? 'ok' : 'error', 'message' => $message, ...$data]);
    exit;
}

function generateJWT(array $user): string {
    // Minimal JWT – use firebase/php-jwt in production
    $header  = base64_encode(json_encode(['alg' => 'HS256', 'typ' => 'JWT']));
    $payload = base64_encode(json_encode([
        'sub'  => $user['id'],
        'name' => $user['name'],
        'role' => $user['role'],
        'iat'  => time(),
        'exp'  => time() + 86400
    ]));
    $sig = base64_encode(hash_hmac('sha256', "$header.$payload", JWT_SECRET, true));
    return "$header.$payload.$sig";
}