<?php
/**
 * Mobile OTP Request Endpoint
 * POST /v1/auth/mobile/request-otp
 * 
 * Sends an OTP to the user's registered phone number.
 * The phone must already be registered by an admin in the web dashboard.
 */

declare(strict_types=1);

use App\Core\Database;
use App\Core\Validator;
use App\Core\Security;
use App\Middleware\RateLimitMiddleware;

// Rate limit: 3 OTP requests per minute per IP
RateLimitMiddleware::check(3, 60);

try {
    $data = Security::sanitize(input());

    // 1. Validate
    $errors = Validator::validate($data, [
        'phone' => 'required',
    ]);

    if ($errors) {
        json_error('رقم الهاتف مطلوب', 422, $errors);
    }

    $phone = preg_replace('/[^0-9+]/', '', $data['phone']);
    $phone = ltrim($phone, '+');
    if (str_starts_with($phone, '07')) {
        $phone = '962' . substr($phone, 1);
    } elseif (str_starts_with($phone, '7')) {
        $phone = '962' . $phone;
    }
    
    $phoneHash = hash('sha256', $phone);

    // 2. Find user by phone hash OR plain phone (Support both schemas)
    $db = Database::getInstance();
    
    // First, try to find by phone_hash. If it fails, we'll catch it.
    try {
        $stmt = $db->prepare("SELECT id, tenant_id, name, is_active FROM users WHERE phone_hash = ? LIMIT 1");
        $stmt->execute([$phoneHash]);
        $user = $stmt->fetch();
    } catch (\PDOException $e) {
        try {
            // Fallback to searching by plain phone if phone_hash column doesn't exist
            $stmt = $db->prepare("SELECT id, tenant_id, name, is_active FROM users WHERE phone = ? LIMIT 1");
            $stmt->execute([$phone]);
            $user = $stmt->fetch();
        } catch (\PDOException $fallbackException) {
            json_error('حدث خطأ في قاعدة البيانات: ' . $fallbackException->getMessage(), 500);
        }
    }

    if (!$user) {
        // Don't reveal if phone exists — generic message
        json_success(null, 'إذا كان الرقم مسجلاً، سيتم إرسال رمز التحقق');
        exit;
    }

    if (!$user['is_active']) {
        json_error('الحساب معطّل. تواصل مع المسؤول.', 403);
    }

    // 3. Generate OTP (6 digits)
    $otp = str_pad((string)random_int(100000, 999999), 6, '0', STR_PAD_LEFT);
    $otpHash = password_hash($otp, PASSWORD_DEFAULT);
    $expiresAt = date('Y-m-d H:i:s', time() + 300); // 5 minutes

    // 4. Store OTP in database (or Redis if available)
    $cacheDir = STORAGE_PATH . '/cache/otp';
    if (!is_dir($cacheDir)) {
        mkdir($cacheDir, 0755, true);
    }

    $otpData = [
        'hash' => $otpHash,
        'user_id' => $user['id'],
        'attempts' => 0,
        'max_attempts' => 5,
        'expires_at' => time() + 300,
        'created_at' => time(),
    ];

    $fp = fopen($cacheDir . '/otp_' . $phoneHash . '.json', 'w');
    if ($fp) {
        flock($fp, LOCK_EX);
        fwrite($fp, json_encode($otpData));
        flock($fp, LOCK_UN);
        fclose($fp);
    }

    // 5. Send OTP via WhatsApp Proxy
    $whatsappService = new \App\Services\WhatsAppProxyService();
    $message = "رمز التحقق لتطبيق مُصادَق:\n*{$otp}*\n\nصالح لمدة 5 دقائق.";
    $result = $whatsappService->sendMessage($phone, $message);

    if (!$result['success']) {
        error_log("ERROR: Failed to send OTP WhatsApp to phone: {$phone}");
        json_error('عذراً، فشل في إرسال رمز التحقق. الرجاء التأكد من صحة رقم الواتساب الخاص بك والمحاولة مرة أخرى.', 500, ['whatsapp_debug' => $result]);
    }

    // Log for development (REMOVE IN PRODUCTION!)
    if (env('APP_DEBUG', 'false') === 'true') {
        error_log("DEV OTP for {$phone}: {$otp}");
    }

    json_success(['whatsapp_debug' => $result], 'إذا كان الرقم مسجلاً، سيتم إرسال رمز التحقق عبر واتساب');

} catch (\Exception $e) {
    safe_error($e, 'auth/mobile_request_otp');
}