<?php
/**
 * Authentication handler for Ziti Router Enrollment UI
 */

require_once 'config.php';

class AuthManager {
    
    /**
     * Authenticate user with username and password
     */
    public static function authenticate($username, $password) {
        $username = sanitizeInput($username);
        
        if ($username === ADMIN_USERNAME && password_verify($password, ADMIN_PASSWORD_HASH)) {
            $_SESSION['authenticated'] = true;
            $_SESSION['username'] = $username;
            $_SESSION['last_activity'] = time();
            $_SESSION['login_time'] = time();
            
            // Check if this is first login with default credentials
            if (USER_FIRST_LOGIN) {
                $_SESSION['requires_setup'] = true;
            }
            
            // Generate new CSRF token
            generateCSRFToken();
            
            logMessage('INFO', "User '$username' logged in successfully from " . $_SERVER['REMOTE_ADDR']);
            return true;
        }
        
        logMessage('WARNING', "Failed login attempt for user '$username' from " . $_SERVER['REMOTE_ADDR']);
        return false;
    }
    
    /**
     * Logout user
     */
    public static function logout() {
        if (isset($_SESSION['username'])) {
            logMessage('INFO', "User '{$_SESSION['username']}' logged out");
        }
        
        session_destroy();
        session_start();
    }
    
    /**
     * Check if user is authenticated and session is valid
     */
    public static function requireAuth() {
        if (!isAuthenticated() || !isSessionValid()) {
            header('Location: index.php?error=session_expired');
            exit;
        }
    }
    
    /**
     * Get current user info
     */
    public static function getCurrentUser() {
        if (!isAuthenticated()) {
            return null;
        }
        
        return [
            'username' => $_SESSION['username'] ?? '',
            'login_time' => $_SESSION['login_time'] ?? 0,
            'last_activity' => $_SESSION['last_activity'] ?? 0
        ];
    }
    
    /**
     * Check CSRF token for forms
     */
    public static function requireCSRF() {
        if ($_SERVER['REQUEST_METHOD'] === 'POST') {
            $token = $_POST[CSRF_TOKEN_NAME] ?? '';
            if (!verifyCSRFToken($token)) {
                http_response_code(403);
                die('CSRF token validation failed');
            }
        }
    }
    
    /**
     * Change user credentials (username and/or password)
     */
    public static function changeCredentials($currentPassword, $newUsername, $newPassword) {
        // Verify current password
        if (!password_verify($currentPassword, ADMIN_PASSWORD_HASH)) {
            return ['success' => false, 'error' => 'Current password is incorrect'];
        }
        
        // Validate new username
        $newUsername = sanitizeInput($newUsername);
        if (strlen($newUsername) < 3 || strlen($newUsername) > 20) {
            return ['success' => false, 'error' => 'Username must be between 3 and 20 characters'];
        }
        
        if (!preg_match('/^[a-zA-Z0-9_]+$/', $newUsername)) {
            return ['success' => false, 'error' => 'Username can only contain letters, numbers, and underscores'];
        }
        
        // Validate new password
        if (strlen($newPassword) < 6) {
            return ['success' => false, 'error' => 'Password must be at least 6 characters long'];
        }
        
        try {
            // Load current user config
            $userConfig = loadUserConfig();
            
            // Update credentials
            $userConfig['username'] = $newUsername;
            $userConfig['password_hash'] = password_hash($newPassword, PASSWORD_DEFAULT);
            $userConfig['first_login'] = false;
            $userConfig['last_updated'] = time();
            
            // Save updated config
            saveUserConfig($userConfig);
            
            logMessage('INFO', "User credentials changed successfully. New username: '$newUsername'");
            
            return ['success' => true, 'message' => 'Credentials updated successfully'];
            
        } catch (Exception $e) {
            logMessage('ERROR', "Failed to update user credentials: " . $e->getMessage());
            return ['success' => false, 'error' => 'Failed to save new credentials'];
        }
    }
    
    /**
     * Check if user requires setup (first login)
     */
    public static function requiresSetup() {
        return isset($_SESSION['requires_setup']) && $_SESSION['requires_setup'] === true;
    }
    
    /**
     * Complete initial setup
     */
    public static function completeSetup($currentPassword, $newUsername, $newPassword) {
        $result = self::changeCredentials($currentPassword, $newUsername, $newPassword);
        
        if ($result['success']) {
            // Clear setup requirement
            unset($_SESSION['requires_setup']);
            logMessage('INFO', "Initial setup completed for user: '$newUsername'");
        }
        
        return $result;
    }
}

/**
 * Handle login form submission
 */
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'login') {
    $username = $_POST['username'] ?? '';
    $password = $_POST['password'] ?? '';
    
    if (AuthManager::authenticate($username, $password)) {
        header('Location: dashboard.php');
        exit;
    } else {
        $loginError = 'Invalid username or password';
    }
}

/**
 * Handle logout
 */
if (isset($_GET['action']) && $_GET['action'] === 'logout') {
    AuthManager::logout();
    header('Location: index.php?message=logged_out');
    exit;
}
?>