<?php

class Auth
{
    private static $oidc_issuer;
    private static $client_id;
    private static $client_secret;
    private static $initialized = false;

    private static function init()
    {
        if (!self::$initialized) {
            self::$oidc_issuer = $_ENV["OIDC_ISSUER"] ?? getenv("OIDC_ISSUER");
            self::$client_id =
                $_ENV["OIDC_CLIENT_ID"] ?? getenv("OIDC_CLIENT_ID");
            self::$client_secret =
                $_ENV["OIDC_CLIENT_SECRET"] ?? getenv("OIDC_CLIENT_SECRET");

            if (session_status() == PHP_SESSION_NONE) {
                session_start();
            }

            self::$initialized = true;
        }
    }

    private static function getRedirectUri()
    {
        $protocol =
            isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] === "on"
                ? "https"
                : "http";
        $host = $_SERVER["HTTP_HOST"];
        $path = "/auth/login";
        return $protocol . "://" . $host . $path;
    }

    public static function middleware()
    {
        self::init();

        return function () {
            if (!isset($_SESSION["access_token"])) {
                Flight::redirect("/auth/login");
                return;
            }

            // Validate the token by making a request to userinfo endpoint
            $userinfo_endpoint = self::getDiscoveryEndpoint(
                "userinfo_endpoint",
            );

            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $userinfo_endpoint);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, [
                "Authorization: Bearer " . $_SESSION["access_token"],
            ]);

            $response = curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);

            // If token validation fails, clear session and redirect to login
            if ($http_code !== 200) {
                unset($_SESSION["access_token"]);
                if (isset($_SESSION["id_token"])) {
                    unset($_SESSION["id_token"]);
                }
                if (isset($_SESSION["refresh_token"])) {
                    unset($_SESSION["refresh_token"]);
                }
                Flight::redirect("/auth/login");
            }
        };
    }

    public static function login($redirect_url)
    {
        self::init();

        if (isset($_GET["code"])) {
            // Handle callback
            $code = $_GET["code"];
            $token_endpoint = self::getDiscoveryEndpoint("token_endpoint");

            $post_data = [
                "grant_type" => "authorization_code",
                "code" => $code,
                "redirect_uri" => self::getRedirectUri(),
                "client_id" => self::$client_id,
                "client_secret" => self::$client_secret,
            ];

            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $token_endpoint);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, [
                "Content-Type: application/x-www-form-urlencoded",
            ]);

            $response = curl_exec($ch);
            curl_close($ch);

            $token_data = json_decode($response, true);

            if (isset($token_data["access_token"])) {
                $_SESSION["access_token"] = $token_data["access_token"];
                $_SESSION["id_token"] = $token_data["id_token"] ?? null;
                $_SESSION["refresh_token"] =
                    $token_data["refresh_token"] ?? null;

                Flight::redirect($redirect_url);
            } else {
                Flight::halt(500, "Failed to obtain access token");
            }
        } else {
            // Show login page
            $auth_endpoint = self::getDiscoveryEndpoint(
                "authorization_endpoint",
            );
            $state = bin2hex(random_bytes(16));
            $_SESSION["oauth_state"] = $state;

            $params = [
                "response_type" => "code",
                "client_id" => self::$client_id,
                "redirect_uri" => self::getRedirectUri(),
                "scope" => "openid profile email",
                "state" => $state,
            ];

            $login_url = $auth_endpoint . "?" . http_build_query($params);

            echo '<!DOCTYPE html>
<html>
<head>
    <title>Login</title>
    <style>
        body { font-family: Arial, sans-serif; text-align: center; margin-top: 100px; }
        .login-btn {
            background-color: #007cba;
            color: white;
            padding: 15px 30px;
            text-decoration: none;
            border-radius: 5px;
            font-size: 16px;
        }
        .login-btn:hover { background-color: #005a87; }
    </style>
</head>
<body>
    <h1>Login Required</h1>
    <p>Please click the button below to authenticate</p>
    <a href="' .
                htmlspecialchars($login_url) .
                '" class="login-btn">Login with OIDC</a>
</body>
</html>';
        }
    }

    public static function user()
    {
        self::init();

        if (!isset($_SESSION["access_token"])) {
            return null;
        }

        $userinfo_endpoint = self::getDiscoveryEndpoint("userinfo_endpoint");

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $userinfo_endpoint);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, [
            "Authorization: Bearer " . $_SESSION["access_token"],
        ]);

        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);

        if ($http_code === 200) {
            return json_decode($response, true);
        }

        return null;
    }

    public static function logout()
    {
        self::init();

        // Clear session
        if (isset($_SESSION["access_token"])) {
            unset($_SESSION["access_token"]);
        }
        if (isset($_SESSION["id_token"])) {
            unset($_SESSION["id_token"]);
        }
        if (isset($_SESSION["refresh_token"])) {
            unset($_SESSION["refresh_token"]);
        }

        Flight::redirect("/");
    }

    private static function getDiscoveryEndpoint($endpoint)
    {
        $discovery_url =
            rtrim(self::$oidc_issuer, "/") .
            "/.well-known/openid-configuration";

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $discovery_url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_TIMEOUT, 10);

        $response = curl_exec($ch);
        curl_close($ch);

        $discovery = json_decode($response, true);

        if (!isset($discovery[$endpoint])) {
            throw new Exception(
                "Endpoint {$endpoint} not found in OIDC discovery: " .
                    $discovery_url,
            );
        }

        return $discovery[$endpoint];
    }
}