<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;

class TwoFactorController extends Controller
{
    public function show()
    {
        $user = auth()->user();
        return view('auth.2fa-settings', compact('user'));
    }

    public function enable(Request $request)
    {
        $user = auth()->user();
        
        if ($user->isTwoFactorEnabled()) {
            return redirect()->route('2fa.settings')->with('error', __('auth.2fa_already_enabled'));
        }

        $google2fa = app('pragmarx.google2fa');
        $secret = $google2fa->generateSecretKey();
        
        $qrCodeUrl = $google2fa->getQRCodeUrl(
            config('app.name'),
            $user->email,
            $secret
        );

        // Generate QR code image
        $qrCode = \BaconQrCode\Renderer\ImageRenderer::class;
        $writer = new \BaconQrCode\Writer(new \BaconQrCode\Renderer\ImageRenderer(
            new \BaconQrCode\Renderer\RendererStyle\RendererStyle(400),
            new \BaconQrCode\Renderer\Image\SvgImageBackEnd()
        ));
        $qrCodeSvg = $writer->writeString($qrCodeUrl);

        session(['2fa_secret' => $secret]);

        return view('auth.2fa-enable', [
            'secret' => $secret,
            'qrCodeSvg' => $qrCodeSvg,
        ]);
    }

    public function confirm(Request $request)
    {
        $request->validate([
            'code' => ['required', 'string', 'size:6'],
        ]);

        $user = auth()->user();
        $secret = session('2fa_secret');

        if (!$secret) {
            return redirect()->route('2fa.settings')->with('error', __('auth.2fa_session_expired'));
        }

        $google2fa = app('pragmarx.google2fa');
        
        if (!$google2fa->verifyKey($secret, $request->code)) {
            return back()->withErrors(['code' => __('auth.2fa_invalid')]);
        }

        // Enable 2FA
        $recoveryCodes = $user->generateRecoveryCodes();
        $user->setTwoFactorSecret($secret);
        $user->two_factor_recovery_codes = $recoveryCodes;
        $user->two_factor_enabled = true;
        $user->save();

        session()->forget('2fa_secret');

        return view('auth.2fa-recovery-codes', [
            'recoveryCodes' => $recoveryCodes,
        ]);
    }

    public function disable(Request $request)
    {
        $request->validate([
            'password' => ['required', 'string'],
            'code' => ['nullable', 'string'],
        ]);

        $user = auth()->user();

        if (!Hash::check($request->password, $user->password)) {
            return back()->withErrors(['password' => __('auth.password_incorrect')]);
        }

        // If 2FA is enabled, verify the code
        if ($user->isTwoFactorEnabled() && $request->code) {
            $google2fa = app('pragmarx.google2fa');
            $secret = $user->getTwoFactorSecret();
            
            if (!$google2fa->verifyKey($secret, $request->code)) {
                return back()->withErrors(['code' => __('auth.2fa_invalid')]);
            }
        }

        $user->two_factor_secret = null;
        $user->two_factor_recovery_codes = null;
        $user->two_factor_enabled = false;
        $user->save();

        return redirect()->route('2fa.settings')->with('success', __('auth.2fa_disabled'));
    }

    public function regenerateRecoveryCodes()
    {
        $user = auth()->user();

        if (!$user->isTwoFactorEnabled()) {
            return redirect()->route('2fa.settings')->with('error', __('auth.2fa_not_enabled'));
        }

        $recoveryCodes = $user->generateRecoveryCodes();
        $user->two_factor_recovery_codes = $recoveryCodes;
        $user->save();

        return view('auth.2fa-recovery-codes', [
            'recoveryCodes' => $recoveryCodes,
        ]);
    }
}