<?php
// ============================================================
// loginWallet.php — توكن محفظة الراكب
// ============================================================

require_once __DIR__ . '/core/bootstrap.php';

header('Content-Type: application/json');
header('Access-Control-Allow-Origin: https://intaleqapp.com');
header('Access-Control-Allow-Methods: POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Device-FP');

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(200);
    exit;
}

try {
    $limiter = new RateLimiter($redis);
    // محفظة الراكب نستخدم 'login' limit، يمكن فصله لـ 'wallet' إذا أردت
    $limiter->enforce(RateLimiter::identifier(), 'login');

    $id          = filterRequest('id');
    $password    = filterRequest('password');
    $audience    = filterRequest('aud');
    $fingerPrint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');

    $allowed1 = getenv('allowed1');
    $allowed2 = getenv('allowed2');
    $allowedAudiences = array_values(array_filter([$allowed1, $allowed2]));
    $passwordnewpassenger = getenv('passwordnewpassenger');

    if (empty($id) || empty($password) || empty($audience) || empty($fingerPrint)) {
        jsonError('Missing required parameters', 400);
    }

    if (!in_array($audience, $allowedAudiences, true)) {
        jsonError('Invalid audience', 400);
    }

    if (!password_verify($password, $passwordnewpassenger)) {
        securityLog("Wallet login failed (password)", ['id' => $id]);
        jsonError('Invalid credentials', 401);
    }

    $con = Database::get('main');

    $stmt = $con->prepare('
        SELECT passengerID, fingerPrint
        FROM tokens
        WHERE passengerID = :pid
        LIMIT 1
    ');
    $stmt->execute([':pid' => $id]);
    $tokenData = $stmt->fetch();

    if (!$tokenData || !hash_equals($tokenData['fingerPrint'], $fingerPrint)) {
        securityLog("Wallet FP mismatch", ['id' => $id]);
        jsonError('Device verification failed', 403);
    }

    $limiter->reset(RateLimiter::identifier(), 'login');

    $jwtService = new JwtService($redis);
    
    $fpPepper = getenv('FP_PEPPER') ?: '';
    $fpHash = hash('sha256', $fingerPrint . $fpPepper);

    $payload = [
        'user_id'     => $id,
        'fingerPrint' => $fpHash,
        'exp'         => time() + 300, // 5 دقائق تم إصلاحه
        'iat'         => time(),
        'iss'         => 'Tripz-Wallet',
        'aud'         => $audience,
        'jti'         => bin2hex(random_bytes(16)),
    ];

    $secretKey = trim((string)@file_get_contents('/home/intaleq-api/.secret_key_pay'));
    $jwt = Firebase\JWT\JWT::encode($payload, $secretKey, 'HS256');

    $hmac = hash_hmac('sha256', $id, getenv('SECRET_KEY_HMAC'));

    jsonSuccess([
        'status'     => 'success',
        'jwt'        => $jwt,
        'hmac'       => $hmac,
        'expires_in' => 300,
    ]);

} catch (PDOException $e) {
    securityLog("LoginWallet PDO Error", ['msg' => $e->getMessage()]);
    jsonError('Database error', 500);
} catch (Exception $e) {
    securityLog("LoginWallet Error", ['msg' => $e->getMessage()]);
    jsonError('Server error', 500);
}