<?php
session_start();
require_once 'config/database.php';

class Auth {
    private $pdo;

    public function __construct($pdo) {
        $this->pdo = $pdo;
    }

    public function login($username, $password) {
        try {
            $stmt = $this->pdo->prepare("SELECT id, full_name, phone, username, password, role FROM users WHERE username = ? AND status = 'active'");
            $stmt->execute([$username]);
            $user = $stmt->fetch(PDO::FETCH_ASSOC);

            if ($user && password_verify($password, $user['password'])) {
                $_SESSION['user_id'] = $user['id'];
                $_SESSION['full_name'] = $user['full_name'];
                $_SESSION['username'] = $user['username'];
                $_SESSION['role'] = $user['role'];
                $_SESSION['phone'] = $user['phone'];
                
                // Create session token for additional security
                $token = bin2hex(random_bytes(32));
                $_SESSION['token'] = $token;
                
                // Store session in database
                $expires = date('Y-m-d H:i:s', strtotime('+24 hours'));
                $stmt = $this->pdo->prepare("INSERT INTO user_sessions (user_id, session_token, expires_at) VALUES (?, ?, ?)");
                $stmt->execute([$user['id'], $token, $expires]);
                
                return true;
            }
            return false;
        } catch (PDOException $e) {
            return false;
        }
    }

    public function logout() {
        if (isset($_SESSION['user_id']) && isset($_SESSION['token'])) {
            // Remove session from database
            $stmt = $this->pdo->prepare("DELETE FROM user_sessions WHERE user_id = ? AND session_token = ?");
            $stmt->execute([$_SESSION['user_id'], $_SESSION['token']]);
        }
        
        session_destroy();
        header("Location: login.php");
        exit();
    }

    public function isLoggedIn() {
        return isset($_SESSION['user_id']) && isset($_SESSION['username']);
    }

    public function requireLogin() {
        if (!$this->isLoggedIn()) {
            header("Location: login.php");
            exit();
        }
    }

    public function requireAdmin() {
        $this->requireLogin();
        if ($_SESSION['role'] !== 'admin') {
            header("Location: index.php");
            exit();
        }
    }

    public function isSetupCompleted() {
        try {
            $stmt = $this->pdo->prepare("SELECT setting_value FROM app_settings WHERE setting_key = 'setup_completed'");
            $stmt->execute();
            $result = $stmt->fetch(PDO::FETCH_ASSOC);
            return $result && $result['setting_value'] == '1';
        } catch (PDOException $e) {
            return false;
        }
    }

    public function createFirstAdmin($full_name, $phone, $username, $password) {
        try {
            // Check if setup is already completed
            if ($this->isSetupCompleted()) {
                return false;
            }

            $hashed_password = password_hash($password, PASSWORD_DEFAULT);
            $stmt = $this->pdo->prepare("INSERT INTO users (full_name, phone, username, password, role) VALUES (?, ?, ?, ?, 'admin')");
            $result = $stmt->execute([$full_name, $phone, $username, $hashed_password]);

            if ($result) {
                // Mark setup as completed
                $stmt = $this->pdo->prepare("UPDATE app_settings SET setting_value = '1' WHERE setting_key = 'setup_completed'");
                $stmt->execute();
                return true;
            }
            return false;
        } catch (PDOException $e) {
            return false;
        }
    }

    public function getUserRole() {
        return $_SESSION['role'] ?? null;
    }

    public function getUserName() {
        return $_SESSION['full_name'] ?? '';
    }
}

$auth = new Auth($pdo);
?>