<?php

/**
 * BOHA Automation - Admin Logout API (JWT)
 *
 * POST /api/admin/logout.php
 *
 * Response:
 * {
 *   "success": true,
 *   "message": "Logged out successfully"
 * }
 */

declare(strict_types=1);

require_once dirname(__DIR__) . '/config.php';
require_once dirname(__DIR__) . '/includes/JWTAuth.php';
require_once dirname(__DIR__) . '/includes/AuditLog.php';
require_once dirname(__DIR__) . '/includes/RateLimiter.php';

// Set headers
setCorsHeaders();
setSecurityHeaders();
setNoCacheHeaders();
header('Content-Type: application/json; charset=utf-8');

// Rate limiting (30 requests/minute)
$rateLimiter = new RateLimiter();
$rateLimiter->enforce('logout', 30);

// Only accept POST
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    errorResponse('Metoda není povolena', 405);
}

// Get user from access token if available (for audit logging)
$authData = JWTAuth::optionalAuth();

// Log logout before revoking tokens
if ($authData) {
    AuditLog::logLogout($authData['user_id'], $authData['user']['username'] ?? 'unknown');
}

// Revoke refresh token (from cookie)
$refreshToken = $_COOKIE['refresh_token'] ?? null;
if ($refreshToken) {
    JWTAuth::revokeRefreshToken($refreshToken);
}

successResponse(null, 'Odhlášení úspěšné');