<?php
/* Copyright (C) 2026 Eduard Wisch <data@data-it-solution.de>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <https://www.gnu.org/licenses/>.
 */

/**
 *  \file       netdiag/api/auth.php
 *  \ingroup    netdiag
 *  \brief      API-Endpunkt: Anmeldung der mobilen App, liefert JWT.
 *
 *  POST {login, password}  ->  {token, expiresIn, user}
 */

require_once __DIR__.'/netdiag_api.lib.php';

netdiag_api_bootstrap();

/** @var DoliDB $db */

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
	netdiag_api_error('Nur POST erlaubt', 405);
}

$body = netdiag_api_read_body();
$login = isset($body['login']) ? trim((string) $body['login']) : '';
$password = isset($body['password']) ? (string) $body['password'] : '';

if ($login === '' || $password === '') {
	netdiag_api_error('Login und Passwort erforderlich', 400);
}

require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';

// Zugangsdaten gegen Dolibarr prüfen (Standard-Login-Backend)
$entitytocheck = (int) $conf->entity;
$authmode = (getDolGlobalString('MAIN_AUTHENTICATION_MODE') ? getDolGlobalString('MAIN_AUTHENTICATION_MODE') : 'dolibarr');
$resultlogin = checkLoginPassEntity($login, $password, $entitytocheck, explode(',', $authmode));

if (empty($resultlogin)) {
	// Kurze Verzögerung gegen Brute-Force
	sleep(1);
	netdiag_api_error('Login fehlgeschlagen', 401);
}

$user = new User($db);
if ($user->fetch('', $resultlogin, '', 0, $entitytocheck) <= 0 || empty($user->id)) {
	netdiag_api_error('Benutzer nicht gefunden', 401);
}
if (!empty($user->statut) && $user->statut == 0) {
	netdiag_api_error('Benutzer deaktiviert', 403);
}
$user->loadRights();

if (!$user->hasRight('netdiag', 'protocol', 'read')) {
	netdiag_api_error('Keine Berechtigung für NetDiag', 403);
}

$ttl = (int) getDolGlobalString('NETDIAG_API_TOKEN_TTL', '604800');
if ($ttl < 60) {
	$ttl = 604800;
}

$token = netdiag_jwt_encode(array(
	'sub'  => (int) $user->id,
	'name' => $user->getFullName($langs),
), $ttl);

netdiag_api_respond(array(
	'token'     => $token,
	'expiresIn' => $ttl,
	'user'      => array(
		'id'       => (int) $user->id,
		'login'    => $user->login,
		'name'     => $user->getFullName($langs),
		'email'    => $user->email,
		'canWrite' => (bool) $user->hasRight('netdiag', 'protocol', 'write'),
	),
));