<?php
session_start();
require_once 'db/config.php';

$action = $_GET['action'] ?? '';

switch ($action) {
    case 'register':
        register();
        break;
    case 'login':
        login();
        break;
    case 'logout':
        logout();
        break;
    default:
        header('Location: login.php');
        exit;
}

function register() {
    if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
        header('Location: register.php');
        exit;
    }

    $name = $_POST['name'] ?? '';
    $email = $_POST['email'] ?? '';
    $password = $_POST['password'] ?? '';
    $confirm_password = $_POST['confirm_password'] ?? '';

    if (empty($name) || empty($email) || empty($password) || empty($confirm_password)) {
        header('Location: register.php?error=All fields are required.');
        exit;
    }

    if ($password !== $confirm_password) {
        header('Location: register.php?error=Passwords do not match.');
        exit;
    }

    $pdo = db();
    $stmt = $pdo->prepare('SELECT id FROM users WHERE email = ?');
    $stmt->execute([$email]);
    if ($stmt->fetch()) {
        header('Location: register.php?error=Email already exists.');
        exit;
    }

    $hashed_password = password_hash($password, PASSWORD_DEFAULT);

    $stmt = $pdo->prepare('INSERT INTO users (name, email, password) VALUES (?, ?, ?)');
    if ($stmt->execute([$name, $email, $hashed_password])) {
        // Assign default 'User' group
        $user_id = $pdo->lastInsertId();
        $stmt = $pdo->prepare('INSERT INTO user_groups (user_id, group_id) VALUES (?, ?)');
        $stmt->execute([$user_id, 3]); 
        header('Location: login.php');
        exit;
    } else {
        header('Location: register.php?error=An error occurred.');
        exit;
    }
}

function login() {
    if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
        header('Location: login.php');
        exit;
    }

    $email = $_POST['email'] ?? '';
    $password = $_POST['password'] ?? '';

    if (empty($email) || empty($password)) {
        header('Location: login.php?error=Email and password are required.');
        exit;
    }

    $pdo = db();
    $stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?');
    $stmt->execute([$email]);
    $user = $stmt->fetch();

    if ($user && password_verify($password, $user['password'])) {
        if ($user['is_suspended']) {
            log_login_attempt($user['id'], 'failed');
            header('Location: login.php?error=Your account is suspended.');
            exit;
        }

        // Prevent multiple logins from different IPs
        $session_id = session_id();
        $ip_address = $_SERVER['REMOTE_ADDR'];
        
        $stmt = $pdo->prepare('SELECT * FROM active_sessions WHERE user_id = ?');
        $stmt->execute([$user['id']]);
        $active_session = $stmt->fetch();

        if ($active_session && $active_session['ip_address'] !== $ip_address) {
             log_login_attempt($user['id'], 'failed');
             header('Location: login.php?error=User is already logged in from another IP address.');
             exit;
        }

        // Store session
        $stmt = $pdo->prepare('REPLACE INTO active_sessions (session_id, user_id, ip_address) VALUES (?, ?, ?)');
        $stmt->execute([$session_id, $user['id'], $ip_address]);

        $_SESSION['user_id'] = $user['id'];
        $_SESSION['user_name'] = $user['name'];

        // Update last login info
        $stmt = $pdo->prepare('UPDATE users SET last_login = NOW(), last_login_ip = ? WHERE id = ?');
        $stmt->execute([$ip_address, $user['id']]);
        
        log_login_attempt($user['id'], 'success');

        header('Location: admin/index.php');
        exit;
    } else {
        $user_id = $user ? $user['id'] : null;
        log_login_attempt($user_id, 'failed');
        header('Location: login.php?error=Invalid email or password.');
        exit;
    }
}

function logout() {
    $pdo = db();
    $stmt = $pdo->prepare('DELETE FROM active_sessions WHERE user_id = ?');
    $stmt->execute([$_SESSION['user_id']]);

    session_unset();
    session_destroy();
    header('Location: login.php');
    exit;
}

function log_login_attempt($user_id, $status) {
    $pdo = db();
    $stmt = $pdo->prepare('INSERT INTO login_logs (user_id, ip_address, status) VALUES (?, ?, ?)');
    $stmt->execute([$user_id, $_SERVER['REMOTE_ADDR'], $status]);
}