<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Http\Requests\Auth\LoginRequest;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Route;
use Inertia\Inertia;
use Inertia\Response;

class AuthenticatedSessionController extends Controller
{
    /**
     * Display the login view.
     */
    public function create(): Response
    {
        return Inertia::render('Auth/Login', [
            'canResetPassword' => Route::has('password.request'),
            'status' => session('status'),
        ]);
    }

    /**
     * Handle an incoming authentication request.
     */
    public function store(LoginRequest $request): RedirectResponse
    {
        $request->authenticate();

        $request->session()->regenerate();

        $user = Auth::user();

        // Check global 2FA toggles
        $totpAllowed = true;
        $emailAllowed = true;
        try {
            $settings = \Illuminate\Support\Facades\Cache::rememberForever('system_settings', function () {
                return \App\Models\Setting::all()->pluck('value', 'key')->toArray();
            });
            if (isset($settings['two_factor_totp_enabled'])) {
                $totpAllowed = $settings['two_factor_totp_enabled'] === '1' || $settings['two_factor_totp_enabled'] === true;
            }
            if (isset($settings['two_factor_email_enabled'])) {
                $emailAllowed = $settings['two_factor_email_enabled'] === '1' || $settings['two_factor_email_enabled'] === true;
            }
        } catch (\Exception $e) {
            // DB not ready or migrated
        }

        // If user has 2FA enabled, and it's globally allowed, redirect to challenge screen
        if ($totpAllowed && $user->two_factor_confirmed_at && $user->two_factor_secret) {
            $request->session()->put('two_factor_user_id', $user->id);
            $request->session()->put('two_factor_type', 'totp');
            Auth::guard('web')->logout();
            $request->session()->forget('password_hash_web');

            return redirect()->route('two-factor.challenge');
        }

        // If user has Email 2FA enabled, and it's globally allowed, redirect to email challenge
        if ($emailAllowed && $user->email_2fa_enabled) {
            $code = str_pad(mt_rand(100000, 999999), 6, '0', STR_PAD_LEFT);
            $user->update([
                'email_2fa_code' => $code,
                'email_2fa_expires_at' => now()->addMinutes(10),
            ]);

            try {
                \Illuminate\Support\Facades\Mail::to($user->email)->send(new \App\Mail\Send2FACode($code));
            } catch (\Exception $e) {
                \Illuminate\Support\Facades\Log::error("Failed to send 2FA Email Code: " . $e->getMessage());
            }

            $request->session()->put('two_factor_user_id', $user->id);
            $request->session()->put('two_factor_type', 'email');
            Auth::guard('web')->logout();
            $request->session()->forget('password_hash_web');

            return redirect()->route('two-factor.challenge');
        }

        return redirect()->intended(route('dashboard', absolute: false));
    }

    /**
     * Destroy an authenticated session.
     */
    public function destroy(Request $request): RedirectResponse
    {
        Auth::guard('web')->logout();

        $request->session()->invalidate();

        $request->session()->regenerateToken();

        return redirect('/');
    }
}