<?php
/**
 * LUPMIS2 PWA — Authenticated entry point
 *
 * This file replaces a plain index.html as the directory index in production.
 * It:
 *   1. Picks up the LUSPA SSO cookie (sso_auth_token) set by the central
 *      login at https://lupmis4luspa.org/sso/.
 *   2. Validates the token server-side against the SSO endpoint.
 *   3. Populates a PHP session with the authenticated user's profile
 *      (user_id, district_id, region_id, full_name, ua_id, …).
 *   4. Reads the built index.html that Vite produces and injects the
 *      session payload as a JavaScript global `window.LUPMIS_SESSION` —
 *      the PWA reads this on startup (see src/remotedb.js) to scope every
 *      API call to the logged-in user's district.
 *
 * In local development (Vite serves index.html directly without PHP) the
 * global is absent and the PWA falls back to a hard-coded district for
 * testing. See remotedb.js getApiCredentials().
 *
 * Adapted from auth code provided by the LUSPA authentication team
 * (FromKwesi / 20260527 / index.php).
 */
session_start();

// ────────────────────────────────────────────────────────────────────────────
// SSO authentication — validate the cookie if we don't already have a session
// ────────────────────────────────────────────────────────────────────────────
if (!isset($_SESSION['user_id']) && isset($_COOKIE['sso_auth_token'])) {
    $plainToken = $_COOKIE['sso_auth_token'];
    $validate_url = 'https://lupmis4luspa.org/sso/validate?token=' . urlencode($plainToken);

    $curl = curl_init();
    curl_setopt_array($curl, [
        CURLOPT_URL            => $validate_url,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_ENCODING       => "",
        CURLOPT_MAXREDIRS      => 10,
        CURLOPT_TIMEOUT        => 30,
        CURLOPT_HTTP_VERSION   => CURL_HTTP_VERSION_1_1,
        CURLOPT_CUSTOMREQUEST  => "GET",
        CURLOPT_HTTPHEADER     => [ "Content-Type: application/xml" ],
    ]);
    $response = curl_exec($curl);
    $httpCode = curl_getinfo($curl, CURLINFO_HTTP_CODE);
    curl_close($curl);

    if ($httpCode === 200) {
        $data = json_decode($response, true);
        if (
            is_array($data)
            && isset($data['valid']) && $data['valid'] === true
            && isset($data['logged_in_user']) && is_array($data['logged_in_user'])
        ) {
            // Copy all returned user fields into the session
            foreach ($data['logged_in_user'] as $key => $value) {
                $_SESSION[$key] = $value;
            }
        }
    } else {
        // Token rejected by the SSO server — clear the stale cookie so the
        // browser stops sending it. Domain `.lupmis4luspa.org` covers all
        // subdomains (so SSO logout works from the PWA too).
        setcookie('sso_auth_token', '', time() - 3600, '/', '.lupmis4luspa.org');
    }
}

// ────────────────────────────────────────────────────────────────────────────
// Build the payload exposed to the PWA as window.LUPMIS_SESSION
// ────────────────────────────────────────────────────────────────────────────
$payload = [];
if (isset($_SESSION['user_id'])) {
    $payload = [
        'user_id'     => $_SESSION['user_id']     ?? null,
        'ua_id'       => $_SESSION['ua_id']       ?? null,
        'username'    => $_SESSION['username']    ?? null,
        'title'       => $_SESSION['title']       ?? null,
        'full_name'   => $_SESSION['full_name']   ?? null,
        'email'       => $_SESSION['email']       ?? null,
        'user_type'   => $_SESSION['user_type']   ?? null,
        'phone'       => $_SESSION['phone']       ?? null,
        'ua_position' => $_SESSION['ua_position'] ?? null,
        'region_id'   => $_SESSION['region_id']   ?? null,
        'district_id' => $_SESSION['district_id'] ?? null,
    ];
}

// ────────────────────────────────────────────────────────────────────────────
// Read the built index.html and inject the session as a JS global
// ────────────────────────────────────────────────────────────────────────────
$indexPath = __DIR__ . '/index.html';
$html = is_readable($indexPath)
    ? file_get_contents($indexPath)
    : '<!DOCTYPE html><html><body><h1>LUPMIS2 PWA</h1><p>index.html is missing from this deployment.</p></body></html>';

// Encode safely for inline <script> — the JSON flags below escape
// characters that could break the HTML parser (<, >, &, ', ").
$sessionJson = json_encode(
    $payload,
    JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT
);
$inject = "<script>window.LUPMIS_SESSION = {$sessionJson};</script>";

// Insert right after the opening <head> tag
$html = preg_replace('/<head\b[^>]*>/i', '$0' . "\n  " . $inject, $html, 1);

// ────────────────────────────────────────────────────────────────────────────
// Serve
// ────────────────────────────────────────────────────────────────────────────
header('Content-Type: text/html; charset=utf-8');
// Don't let intermediaries cache an authenticated response — the next visit
// might be a different user. Asset hashes still let static files be cached.
header('Cache-Control: no-store, must-revalidate');
header('Pragma: no-cache');

echo $html;