app/api/admin/totp.php

<?php

/**
 * BOHA Automation - TOTP 2FA API
 *
 * GET  ?action=status           - 2FA status
 * POST ?action=setup            - generovat secret + QR
 * POST ?action=enable           - overit kod a aktivovat 2FA
 * POST ?action=disable          - deaktivovat 2FA
 * POST ?action=verify           - overit TOTP kod pri loginu (pre-auth)
 * POST ?action=backup_verify    - overit zalozhni kod pri loginu (pre-auth)
 */

declare(strict_types=1);

require_once dirname(__DIR__) . '/config.php';
require_once dirname(__DIR__) . '/includes/JWTAuth.php';
require_once dirname(__DIR__) . '/includes/AuditLog.php';
require_once dirname(__DIR__) . '/includes/RateLimiter.php';
require_once dirname(__DIR__) . '/includes/Encryption.php';
require_once __DIR__ . '/handlers/totp-handlers.php';

use RobThree\Auth\TwoFactorAuth;
use RobThree\Auth\TwoFactorAuthException;
use RobThree\Auth\Providers\Qr\QRServerProvider;

setCorsHeaders();
setSecurityHeaders();
setNoCacheHeaders();
header('Content-Type: application/json; charset=utf-8');

$method = $_SERVER['REQUEST_METHOD'];
$action = $_GET['action'] ?? '';

try {
    $pdo = db();

    switch ($action) {
        case 'status':
            handleStatus($pdo);
            break;
        case 'setup':
            handleSetup($pdo, getTfa());
            break;
        case 'enable':
            handleEnable($pdo, getTfa());
            break;
        case 'disable':
            handleDisable($pdo, getTfa());
            break;
        case 'verify':
            handleVerify($pdo, getTfa());
            break;
        case 'backup_verify':
            handleBackupVerify($pdo);
            break;
        case 'get_required':
            handleGetRequired($pdo);
            break;
        case 'set_required':
            handleSetRequired($pdo);
            break;
        default:
            errorResponse('Neplatná akce', 400);
    }
} catch (PDOException $e) {
    error_log('TOTP API error: ' . $e->getMessage());
    errorResponse('Chyba databáze', 500);
} catch (Exception $e) {
    error_log('TOTP error: ' . $e->getMessage());
    errorResponse('Došlo k chybě', 500);
}