<?php
defined('MYAAC') or die('Direct access not allowed!');

use MyAAC\TwoFactorAuth\TwoFactorAuth;
use OTPHP\TOTP;
use Symfony\Component\Clock\NativeClock;

require __DIR__ . '/../base.php';

if (!empty($account_logged->getCustomField('2fa_secret'))) {

	$twig->display('account/2fa/app/enable.already_connected.html.twig');

	return;
}

$explodeRecoveryKey = explode('-', $account_logged->getCustomField('key'));
$newRecoveryKeyFormat = (count($explodeRecoveryKey) == 4);

if (ACTION == 'request') {

	if ($newRecoveryKeyFormat) {
		$key = $_POST['key1'] . '-' . $_POST['key2'] . '-' . $_POST['key3'] . '-' . $_POST['key4'];
	}
	else {
		$key = $_POST['key'];
	}

	$accountKey = $account_logged->getCustomField('key');
	if (!empty($key) && $key == $accountKey) {
		$clock = new NativeClock();

		$secret = getSession('2fa_secret');
		if ($secret === null) {
			$secret = generateRandom2faSecret();
			setSession('2fa_secret', $secret);
		}

		$twoFactorAuth->appDisplayEnable($secret);

		return;
	}
	else {
		if (empty($key)) {
			$errors[] = 'Please enter the recovery key!';
		}
		else {
			$errors[] = 'Invalid recovery key!';
		}
	}
}

if (ACTION == 'link') {
	$secret = getSession('2fa_secret');

	if ($secret === null) {
		$twig->display('error_box.html.twig', ['errors' => ['Secret not set. Go back and try again.']]);
		return;
	}

	$authCode = $_POST['auth-code'] ?? '';
	if (!empty($authCode)) {
		$otp = $twoFactorAuth->appInitTOTP($secret);

		if (!$otp->verify($authCode)) {
			$errors = ['Token is invalid!'];

			$twig->display('error_box.html.twig', ['errors' => $errors]);

			$twoFactorAuth->appDisplayEnable($secret, $otp, $errors);

			return;
		}

		if ($db->hasColumn('accounts', 'secret')) {
			$account_logged->setCustomField('secret', $secret);
		}

		$account_logged->setCustomField('2fa_secret', $secret);
		$twoFactorAuth->enable(TwoFactorAuth::TYPE_APP);

		$twig->display('success.html.twig',
			[
				'title' => 'Authenticator App Connected',
				'description' => 'You successfully connected your Tibia account to an authenticator app.'
			]
		);

		return;
	}
	else {
		$errors = ['You have to enter the code generated by the authenticator!'];

		$twig->display('error_box.html.twig', ['errors' => $errors]);
		$twoFactorAuth->appDisplayEnable($secret, null, $errors);
		return;
	}
}

if (!empty($errors)) {
	$twig->display('error_box.html.twig', ['errors' => $errors]);
}

$twig->display('account/2fa/app/enable.warning.html.twig',
	[
		'newRecoveryKeyFormat' => $newRecoveryKeyFormat,
		'errors' => $errors,
	]
);