<?php

/**
 * BOHA Automation - Session Check API (JWT)
 *
 * GET /api/admin/session.php
 *
 * Checks if the user has a valid session by:
 * 1. First checking the Authorization header for a valid access token
 * 2. If no valid access token, tries to refresh using the refresh_token cookie
 *
 * Response:
 * {
 *   "success": true,
 *   "data": {
 *     "authenticated": boolean,
 *     "user": { ... } | null,
 *     "access_token": "string" | null,
 *     "expires_in": int | null
 *   }
 * }
 */

declare(strict_types=1);

require_once dirname(__DIR__) . '/config.php';
require_once dirname(__DIR__) . '/includes/JWTAuth.php';
require_once dirname(__DIR__) . '/includes/RateLimiter.php';

setCorsHeaders();
setSecurityHeaders();
setNoCacheHeaders();
header('Content-Type: application/json; charset=utf-8');

// 200 req/min - vola se pri kazde zmene route
$rateLimiter = new RateLimiter();
$rateLimiter->enforce('session', 200);

// Cleanup expired refresh tokenu (0.1% sance)
if (rand(1, 1000) === 1) {
    try {
        JWTAuth::cleanupExpiredTokens();
    } catch (Exception $e) {
    }
}

if (!in_array($_SERVER['REQUEST_METHOD'], ['GET', 'POST'])) {
    errorResponse('Metoda není povolena', 405);
}

/** @return array<string, mixed> */
function get2FAInfo(PDO $pdo, int $userId): array
{
    try {
        $stmt = $pdo->prepare("SELECT totp_enabled FROM users WHERE id = ?");
        $stmt->execute([$userId]);
        $row = $stmt->fetch();

        $r2fa = $pdo->query("SELECT require_2fa FROM company_settings LIMIT 1");
        return [
            'totp_enabled' => (bool) ($row['totp_enabled'] ?? false),
            'require_2fa' => (bool) $r2fa->fetchColumn(),
        ];
    } catch (PDOException $e) {
        return ['totp_enabled' => false, 'require_2fa' => false];
    }
}

$authData = JWTAuth::optionalAuth();

if ($authData) {
    $userData = $authData['user'];
    $userData['permissions'] = JWTAuth::getUserPermissions($authData['user_id']);

    $twoFA = get2FAInfo(db(), $authData['user_id']);
    $userData['totp_enabled'] = $twoFA['totp_enabled'];
    $userData['require_2fa'] = $twoFA['require_2fa'];

    successResponse([
        'authenticated' => true,
        'user' => $userData,
        'access_token' => null,
        'expires_in' => null,
    ]);
}

$refreshToken = $_COOKIE['refresh_token'] ?? null;

if ($refreshToken) {
    $result = JWTAuth::refreshTokens();

    if ($result) {
        $twoFA = get2FAInfo(db(), $result['user']['id']);
        $result['user']['totp_enabled'] = $twoFA['totp_enabled'];
        $result['user']['require_2fa'] = $twoFA['require_2fa'];

        successResponse([
            'authenticated' => true,
            'user' => $result['user'],
            'access_token' => $result['access_token'],
            'expires_in' => $result['expires_in'],
        ]);
    }
}

successResponse([
    'authenticated' => false,
    'user' => null,
    'access_token' => null,
    'expires_in' => null,
]);