<?php
use App\OidcClient;

$config = app()->config();
$session = app()->session();
$session->start();

if (!$config->authEnabled) {
    echo '<div class="card">Auth ist deaktiviert.</div>';
    return;
}

$code = (string)($_GET['code'] ?? '');
$state = (string)($_GET['state'] ?? '');
$expectedState = (string)($_SESSION['oidc_state'] ?? '');
$nonce = (string)($_SESSION['oidc_nonce'] ?? '');

if ($code === '' || $state === '' || $expectedState === '' || !hash_equals($expectedState, $state)) {
    echo '<div class="card">Ungültiger Login-Status.</div>';
    return;
}

unset($_SESSION['oidc_state']);

$client = new OidcClient($config);
$token = $client->exchangeCode($code);

$idToken = (string)($token['id_token'] ?? '');
$accessToken = (string)($token['access_token'] ?? '');
if ($idToken === '') {
    echo '<div class="card">Kein ID Token erhalten.</div>';
    return;
}

$claims = $client->decodeJwt($idToken);
$client->validateIdToken($claims, $nonce);
unset($_SESSION['oidc_nonce']);

$groups = $client->groupsFromClaims($claims);
$accessClaims = null;
if (!$groups && $accessToken !== '') {
    try {
        $accessClaims = $client->decodeJwt($accessToken);
        $groups = $client->groupsFromClaims($accessClaims);
    } catch (\Throwable $e) {
        // ignore access token decoding errors
    }
}
$user = [
    'sub' => (string)($claims['sub'] ?? ''),
    'email' => (string)($claims['email'] ?? ''),
    'name' => (string)($claims['name'] ?? ($claims['preferred_username'] ?? '')),
    'groups' => $groups,
    'id_token' => $idToken,
];

$_SESSION['auth_user'] = $user;

if (defined('APP_AUTH_DEBUG') && APP_AUTH_DEBUG) {
    $log = [
        'ts' => date('c'),
        'sub' => $user['sub'],
        'email' => $user['email'],
        'name' => $user['name'],
        'groups' => $groups,
        'id_token_claims' => $claims,
        'access_token_claims' => $accessToken ? ($accessClaims ?? null) : null,
        'token_meta' => [
            'has_id_token' => $idToken !== '',
            'has_access_token' => $accessToken !== '',
            'expires_in' => $token['expires_in'] ?? null,
            'refresh_expires_in' => $token['refresh_expires_in'] ?? null,
            'scope' => $token['scope'] ?? null,
        ],
        'claim_source' => !empty($groups) ? 'id_token_or_access_token' : 'none',
    ];
    @file_put_contents(__DIR__ . '/../../../debug/oidc_login.log', json_encode($log) . PHP_EOL, FILE_APPEND);
}

redirect('/');