<?php

declare(strict_types=1);

use App\App\Bootstrap;
use App\Security\Csrf;
use App\Security\FormAccess;

require dirname(__DIR__) . '/src/autoload.php';
Bootstrap::init();

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    Bootstrap::jsonResponse(['ok' => false, 'message' => 'Method not allowed'], 405);
}

$csrf = $_POST['csrf'] ?? '';
if (!Csrf::validate(is_string($csrf) ? $csrf : null)) {
    Bootstrap::jsonResponse(['ok' => false, 'message' => 'Ungültiges CSRF-Token.'], 419);
}

if (trim((string) ($_POST['website'] ?? '')) !== '') {
    Bootstrap::jsonResponse(['ok' => false, 'message' => 'Anfrage blockiert.'], 400);
}

$email = strtolower(trim((string) ($_POST['email'] ?? '')));
if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
    Bootstrap::jsonResponse(['ok' => false, 'message' => 'Bitte gültige E-Mail eingeben.'], 422);
}

$code = trim((string) ($_POST['otp_code'] ?? ''));

$formAccess = new FormAccess();
$result = $formAccess->verifyOtp($email, $code);
if (($result['ok'] ?? false) !== true) {
    $reason = (string) ($result['reason'] ?? '');
    Bootstrap::jsonResponse([
        'ok' => false,
        'message' => (string) ($result['message'] ?? 'Code konnte nicht bestätigt werden.'),
        'auth_required' => in_array($reason, ['auth_required', 'expired', 'attempt_limit'], true),
        'auth_expired' => false,
        'attempts_left' => isset($result['attempts_left']) ? (int) $result['attempts_left'] : null,
    ], (int) ($result['status_code'] ?? 422));
}

Bootstrap::jsonResponse([
    'ok' => true,
    'message' => 'E-Mail erfolgreich bestätigt.',
]);