<?php
/**
 * Authentication Configuration
 * Loads environment variables and configures Azure AD OAuth2
 */

// Load Composer autoloader
require_once __DIR__ . '/vendor/autoload.php';

// Load environment variables
$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
$dotenv->load();

// Development Mode Configuration
define('DEV_MODE', filter_var($_ENV['DEV_MODE'] ?? false, FILTER_VALIDATE_BOOLEAN));

// Azure AD Configuration
define('AZURE_CLIENT_ID', $_ENV['AZURE_CLIENT_ID'] ?? '');
define('AZURE_AUTHORITY', $_ENV['AZURE_AUTHORITY'] ?? '');
define('AZURE_REDIRECT_URI', $_ENV['AZURE_REDIRECT_URI'] ?? '');

// Extract tenant ID from authority URL
if (AZURE_AUTHORITY) {
    preg_match('/\/([^\/]+)$/', AZURE_AUTHORITY, $matches);
    define('AZURE_TENANT_ID', $matches[1] ?? 'common');
} else {
    define('AZURE_TENANT_ID', 'common');
}

// Python API Configuration
define('PYTHON_API_URL', $_ENV['PYTHON_API_URL'] ?? 'http://localhost:5010');

// DeepL API Configuration
define('DEEPL_API_KEY', $_ENV['DEEPL_API_KEY'] ?? '');

// Session Configuration
define('SESSION_TIMEOUT', (int)($_ENV['SESSION_TIMEOUT'] ?? 28800)); // Default: 8 hours

// Configure secure session settings (only if session hasn't started yet)
if (session_status() === PHP_SESSION_NONE) {
    ini_set('session.cookie_httponly', '1');
    // Only require secure cookies in production (not in dev mode on localhost)
    ini_set('session.cookie_secure', DEV_MODE ? '0' : '1');
    ini_set('session.cookie_samesite', 'Lax');
    ini_set('session.use_strict_mode', '1');
    ini_set('session.gc_maxlifetime', SESSION_TIMEOUT);
}

/**
 * Check if user is authenticated
 * @return bool
 */
function isAuthenticated() {
    if (session_status() === PHP_SESSION_NONE) {
        session_start();
    }

    // In dev mode, auto-authenticate with mock user
    if (DEV_MODE) {
        if (!isset($_SESSION['authenticated']) || !$_SESSION['authenticated']) {
            // Initialize dev mode session with mock user
            $_SESSION['authenticated'] = true;
            $_SESSION['user_id'] = 'dev-user-' . uniqid();
            $_SESSION['user_name'] = 'Dev User (Local)';
            $_SESSION['user_email'] = 'dev@localhost';
            $_SESSION['last_activity'] = time();
            $_SESSION['user_files'] = [];
        }
        return true;
    }

    // Check if user is logged in
    if (!isset($_SESSION['authenticated']) || !$_SESSION['authenticated']) {
        return false;
    }

    // Check session timeout
    if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > SESSION_TIMEOUT)) {
        session_unset();
        session_destroy();
        return false;
    }

    // Update last activity time
    $_SESSION['last_activity'] = time();

    return true;
}

/**
 * Require authentication - redirect to login if not authenticated
 */
function requireAuth() {
    // In dev mode, authentication is auto-handled by isAuthenticated()
    if (DEV_MODE) {
        isAuthenticated(); // This will auto-create the session
        return;
    }

    if (!isAuthenticated()) {
        header('Location: login.php');
        exit;
    }
}

/**
 * Get current user information
 * @return array|null
 */
function getCurrentUser() {
    if (session_status() === PHP_SESSION_NONE) {
        session_start();
    }

    if (!isAuthenticated()) {
        return null;
    }

    return [
        'id' => $_SESSION['user_id'] ?? null,
        'name' => $_SESSION['user_name'] ?? null,
        'email' => $_SESSION['user_email'] ?? null
    ];
}