<?php
// ============================================================
// loginJwtDriver.php — تجديد توكن السائق
// ============================================================

require_once __DIR__ . '/core/bootstrap.php';

header('Content-Type: application/json; charset=utf-8');
header('Access-Control-Allow-Origin: https://siromove.com');
header('Access-Control-Allow-Methods: POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Device-FP');

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(204);
    exit;
}

$startTime = microtime(true);

function unauthorizedDriver(): never {
    global $startTime;
    $elapsed = microtime(true) - $startTime;
    if ($elapsed < 0.1) usleep((int)((0.1 - $elapsed) * 1000000));
    jsonError('Invalid driver credentials', 401);
}

try {
    $limiter = new RateLimiter($redis);
    $limiter->enforce(RateLimiter::identifier(), 'login');

    $id          = filterRequest('id');
    $audience    = filterRequest('aud');
    $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint'); 

    $aud1 = getenv('allowedDriver1');
    $aud2 = getenv('allowedDriver2');
    $allowedAudiences = array_values(array_filter([$aud1, $aud2]));

    if (empty($id) || empty($audience)) {
        jsonError('Missing required fields', 400);
    }

    if (!in_array($audience, $allowedAudiences, true)) {
        jsonError('Invalid audience', 400);
    }

    $con = Database::get('main');
    $pepper = getenv('SECRET_KEY_HMAC');

    $stmt = $con->prepare('
        SELECT id, phone, national_number, email, password
        FROM driver
        WHERE id = :id
        LIMIT 1
    ');
    $stmt->execute([':id' => $id]);
    $driver = $stmt->fetch();

    if (!$driver || empty($driver['password'])) {
        unauthorizedDriver();
    }

    $decPhone = !empty($driver['phone']) ? $encryptionHelper->decryptData($driver['phone']) : null;
    $decNat   = !empty($driver['national_number']) ? $encryptionHelper->decryptData($driver['national_number']) : null;

    // ✅ FIX M-04: تسجيل معلومات تشخيصية عند فشل فك التشفير
    if (empty($decPhone) || empty($decNat)) {
        securityLog("LoginDriver failed: decryption returned null", [
            'driver_id' => $driver['id'] ?? 'unknown',
            'has_phone' => !empty($driver['phone']),
            'has_nat' => !empty($driver['national_number']),
        ]);
        unauthorizedDriver();
    }

    $baseString = $driver['id'] . '|' . trim($decPhone) . '|' . trim($decNat);
    $hmacHex    = hash_hmac('sha256', $baseString, $pepper, false);

    if (!password_verify($hmacHex, $driver['password'])) {
        unauthorizedDriver();
    }

    $limiter->reset(RateLimiter::identifier(), 'login');

    $jwtService = new JwtService($redis);
    $jwt = $jwtService->generateAccessToken($driver['id'], 'driver', $audience, $fingerprint);
    // $refresh = $jwtService->generateRefreshToken($driver['id']);

    jsonSuccess([
        'jwt' => $jwt,
        // 'refresh_token' => $refresh['token'],
        'expires_in' => 14400
    ]);

} catch (PDOException $e) {
    securityLog("LoginDriver PDO Error", ['msg' => $e->getMessage()]);
    jsonError('Database error', 500);
} catch (Exception $e) {
    securityLog("LoginDriver Error", ['msg' => $e->getMessage()]);
    jsonError('Server error', 500);
}