<?php

declare(strict_types=1);

use App\App\Bootstrap;
use App\Security\Csrf;
use App\Security\FormAccess;
use App\Security\RateLimiter;

require dirname(__DIR__) . '/src/autoload.php';
Bootstrap::init();

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    Bootstrap::jsonResponse(['ok' => false, 'message' => 'Method not allowed'], 405);
}

$csrf = $_POST['csrf'] ?? '';
if (!Csrf::validate(is_string($csrf) ? $csrf : null)) {
    Bootstrap::jsonResponse(['ok' => false, 'message' => 'Ungueltiges CSRF-Token.'], 419);
}

if (trim((string) ($_POST['website'] ?? '')) !== '') {
    Bootstrap::jsonResponse(['ok' => false, 'message' => 'Anfrage blockiert.'], 400);
}

$email = strtolower(trim((string) ($_POST['email'] ?? '')));
if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
    Bootstrap::jsonResponse(['ok' => false, 'message' => 'Bitte gueltige E-Mail eingeben.'], 422);
}

$code = trim((string) ($_POST['otp_code'] ?? ''));

$app = Bootstrap::config('app');
$limiter = new RateLimiter();
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
$rateKey = sprintf('otp-verify:%s:%s', $ip, $email);
if (!$limiter->allow($rateKey, (int) $app['rate_limit']['requests'], (int) $app['rate_limit']['window_seconds'])) {
    Bootstrap::jsonResponse(['ok' => false, 'message' => 'Zu viele Anfragen. Bitte spaeter erneut versuchen.'], 429);
}

$formAccess = new FormAccess();
$result = $formAccess->verifyOtp($email, $code);
if (($result['ok'] ?? false) !== true) {
    $reason = (string) ($result['reason'] ?? '');
    Bootstrap::jsonResponse([
        'ok' => false,
        'message' => (string) ($result['message'] ?? 'Code konnte nicht bestaetigt werden.'),
        'auth_required' => in_array($reason, ['auth_required', 'expired', 'attempt_limit'], true),
        'auth_expired' => false,
        'attempts_left' => isset($result['attempts_left']) ? (int) $result['attempts_left'] : null,
    ], (int) ($result['status_code'] ?? 422));
}

Bootstrap::jsonResponse([
    'ok' => true,
    'message' => 'E-Mail erfolgreich bestaetigt.',
]);