<?php

/**
 * BOHA Automation - Token Refresh Endpoint
 *
 * Uses the httpOnly refresh_token cookie to issue a new access token.
 * Called silently on page load and when access token expires.
 */

declare(strict_types=1);

require_once dirname(__DIR__) . '/config.php';
require_once dirname(__DIR__) . '/includes/JWTAuth.php';
require_once dirname(__DIR__) . '/includes/RateLimiter.php';

setCorsHeaders();
setSecurityHeaders();
setNoCacheHeaders();
header('Content-Type: application/json; charset=utf-8');

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    errorResponse('Method not allowed', 405);
}

$rateLimiter = new RateLimiter();
$rateLimiter->enforce('refresh', 30);

// Check for refresh token in cookie
if (!isset($_COOKIE['refresh_token'])) {
    errorResponse('No refresh token', 401);
}

// Attempt to refresh tokens
$result = JWTAuth::refreshTokens();

if (!$result) {
    errorResponse('Invalid or expired refresh token', 401);
}

// Add 2FA info to user data
try {
    $pdo = db();
    $stmt = $pdo->prepare('SELECT totp_enabled FROM users WHERE id = ?');
    $stmt->execute([$result['user']['id']]);
    $u = $stmt->fetch();
    $result['user']['totp_enabled'] = (bool) ($u['totp_enabled'] ?? false);

    $stmt = $pdo->query("SELECT require_2fa FROM company_settings LIMIT 1");
    $result['user']['require_2fa'] = (bool) $stmt->fetchColumn();
} catch (PDOException $e) {
    $result['user']['totp_enabled'] = false;
    $result['user']['require_2fa'] = false;
}

successResponse([
    'access_token' => $result['access_token'],
    'expires_in' => $result['expires_in'],
    'user' => $result['user'],
], 'Token refreshed');