<?php

namespace App\Http\Controllers\Api;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Validator;

class TwoFactorController extends Controller
{
    public function status(Request $request)
    {
        $user = $request->user();
        
        return response()->json([
            'enabled' => $user->isTwoFactorEnabled(),
        ]);
    }

    public function enable(Request $request)
    {
        $user = $request->user();
        
        if ($user->isTwoFactorEnabled()) {
            return response()->json([
                'message' => __('auth.2fa_already_enabled'),
            ], 400);
        }

        $google2fa = app('pragmarx.google2fa');
        $secret = $google2fa->generateSecretKey();
        
        // Generate QR code URL
        $qrCodeUrl = $google2fa->getQRCodeUrl(
            config('app.name'),
            $user->email,
            $secret
        );

        // Store secret temporarily (not enabled until confirmed)
        session(['2fa_secret' => $secret]);

        return response()->json([
            'secret' => $secret,
            'qr_code_url' => $qrCodeUrl,
        ]);
    }

    public function confirm(Request $request)
    {
        $validator = Validator::make($request->all(), [
            'code' => ['required', 'string', 'size:6'],
        ]);

        if ($validator->fails()) {
            return response()->json(['errors' => $validator->errors()], 422);
        }

        $user = $request->user();
        $secret = session('2fa_secret');

        if (!$secret) {
            return response()->json([
                'message' => __('auth.2fa_session_expired'),
            ], 400);
        }

        $google2fa = app('pragmarx.google2fa');
        
        if (!$google2fa->verifyKey($secret, $request->code)) {
            return response()->json([
                'message' => __('auth.2fa_invalid'),
            ], 401);
        }

        // Enable 2FA
        $recoveryCodes = $user->generateRecoveryCodes();
        $user->setTwoFactorSecret($secret);
        $user->two_factor_recovery_codes = $recoveryCodes;
        $user->two_factor_enabled = true;
        $user->save();

        session()->forget('2fa_secret');

        return response()->json([
            'message' => __('auth.2fa_enabled'),
            'recovery_codes' => $recoveryCodes,
        ]);
    }

    public function disable(Request $request)
    {
        $validator = Validator::make($request->all(), [
            'password' => ['required', 'string'],
            'code' => ['nullable', 'string'],
        ]);

        if ($validator->fails()) {
            return response()->json(['errors' => $validator->errors()], 422);
        }

        $user = $request->user();

        // Verify password
        if (!\Hash::check($request->password, $user->password)) {
            return response()->json([
                'message' => __('auth.password_incorrect'),
            ], 401);
        }

        // If 2FA is enabled, verify the code
        if ($user->isTwoFactorEnabled() && $request->code) {
            $google2fa = app('pragmarx.google2fa');
            $secret = $user->getTwoFactorSecret();
            
            if (!$google2fa->verifyKey($secret, $request->code)) {
                return response()->json([
                    'message' => __('auth.2fa_invalid'),
                ], 401);
            }
        }

        // Disable 2FA
        $user->two_factor_secret = null;
        $user->two_factor_recovery_codes = null;
        $user->two_factor_enabled = false;
        $user->save();

        return response()->json([
            'message' => __('auth.2fa_disabled'),
        ]);
    }

    public function regenerateRecoveryCodes(Request $request)
    {
        $user = $request->user();

        if (!$user->isTwoFactorEnabled()) {
            return response()->json([
                'message' => __('auth.2fa_not_enabled'),
            ], 400);
        }

        $recoveryCodes = $user->generateRecoveryCodes();
        $user->two_factor_recovery_codes = $recoveryCodes;
        $user->save();

        return response()->json([
            'message' => __('auth.recovery_codes_regenerated'),
            'recovery_codes' => $recoveryCodes,
        ]);
    }
}