<?php
// ============================================================
// loginJwtDriver.php — تجديد توكن السائق
// ============================================================

require_once __DIR__ . '/core/bootstrap.php';

header('Content-Type: application/json; charset=utf-8');
header('Access-Control-Allow-Origin: https://siromove.com');
header('Access-Control-Allow-Methods: POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Device-FP');

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(204);
    exit;
}

$startTime = microtime(true);

function unauthorizedDriver(): never {
    global $startTime;
    $elapsed = microtime(true) - $startTime;
    if ($elapsed < 0.1) usleep((int)((0.1 - $elapsed) * 1000000));
    jsonError('Invalid driver credentials', 401);
}

try {
    $limiter = new RateLimiter($redis);
    $limiter->enforce(RateLimiter::identifier(), 'login');

    $id          = filterRequest('id');
    $audience    = filterRequest('aud');
    $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint'); 

    $aud1 = getenv('allowedDriver1');
    $aud2 = getenv('allowedDriver2');
    $allowedAudiences = array_values(array_filter([$aud1, $aud2]));

    if (empty($id) || empty($audience)) {
        jsonError('Missing required fields', 400);
    }

    if (!in_array($audience, $allowedAudiences, true)) {
        jsonError('Invalid audience', 400);
    }

    $con = Database::get('main');
    $pepper = getenv('SECRET_KEY_HMAC');

    $stmt = $con->prepare('
        SELECT id, phone, national_number, email, password, birthdate
        FROM driver
        WHERE id = :id
        LIMIT 1
    ');
    $stmt->execute([':id' => $id]);
    $driver = $stmt->fetch();

    if (!$driver || empty($driver['password'])) {
        unauthorizedDriver();
    }

    $decPhone = !empty($driver['phone']) ? $encryptionHelper->decryptData($driver['phone']) : null;
    $decNat   = !empty($driver['national_number']) ? $encryptionHelper->decryptData($driver['national_number']) : null;

    if (empty($decPhone)) {
        securityLog("LoginDriver failed: phone decryption returned null", [
            'driver_id' => $driver['id'] ?? 'unknown',
        ]);
        unauthorizedDriver();
    }

    // ── المحاولة الأولى: طريقة جديدة (قيم خام) ─────────────
    $newParts = [
        $driver['id'],
        trim($decPhone),
    ];
    if (!empty($decNat)) {
        $newParts[] = trim($decNat);
    }
    $newString = implode('|', $newParts);
    $newSecret = hash_hmac('sha256', $newString, $pepper, true);

    if (password_verify($newSecret, $driver['password'])) {
        // ✅ صح - طريقة جديدة
    } else {
        // ── المحاولة الثانية: طريقة قديمة (قيم مشفرة) للتوافق ─
        $oldParts = [
            $driver['id'],
            $encryptionHelper->encryptData(trim($decPhone)),
        ];
        if (!empty($decNat)) {
            $oldParts[] = $encryptionHelper->encryptData(trim($decNat));
        }
        $oldString = implode('|', $oldParts);
        $oldSecret = hash_hmac('sha256', $oldString, $pepper, true);

        if (!password_verify($oldSecret, $driver['password'])) {
            unauthorizedDriver();
        }
    }

    $limiter->reset(RateLimiter::identifier(), 'login');

    $jwtService = new JwtService($redis);
    $jwt = $jwtService->generateAccessToken($driver['id'], 'driver', $audience, $fingerprint);
    // $refresh = $jwtService->generateRefreshToken($driver['id']);

    jsonSuccess([
        'jwt' => $jwt,
        // 'refresh_token' => $refresh['token'],
        'expires_in' => 14400
    ]);

} catch (PDOException $e) {
    securityLog("LoginDriver PDO Error", ['msg' => $e->getMessage()]);
    jsonError('Database error', 500);
} catch (Exception $e) {
    securityLog("LoginDriver Error", ['msg' => $e->getMessage()]);
    jsonError('Server error', 500);
}