<?php
//======================================================================================
//
// Function: Validate the REEFT 2.0 Access token
//
// Programmer: AR
// Date      : 2025-02-07
//
// Copyright Reeft A/S (c) - 2025
//======================================================================================

//======================================================================================	
// Set session
//======================================================================================			
if(!isset($_SESSION))
{ 
	session_start();
}

//WHILE TESTING CALL WITH PARM test
if (isset($_GET['test']) && $_GET['test'] === 'Y') {
    $apiUrl = $rftUrl . '/Authentication/Login/Gps'; 
	
	$receivedToken = 'eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI5OGQzYWVhYi0zZWRlLTMyNjYtOTEzYi00YTJkMGRiODVhNDMiLCJqdGkiOiIxN2E5N2YxNy1lNTkwLTRmNWYtYjBlMi1iODM0MjlkMjc4MzYiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoic3VwZXJBZG1pbiIsImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI6IlN1cGVyQWRtaW4iLCJQZXJtaXNzaW9ucyI6Ikdwc1Rva2VuIiwiUm9sZUlkIjoiMzY2N2E1NGYtYWEyNy00ZTNhLTg3NzgtYWQ3NTgzN2NmZTZhIiwiT3JnYW5pemF0aW9uSWQiOiJkZjkzNjU0ZS1kMWMzLTQ1OGItODAyMC0zNTlmMTlhZDYxY2UiLCJVc2VTaGFyZWREYXRhYmFzZSI6dHJ1ZSwiQ29uc2lkZXJPcmdhbml6YXRpb25IZWFkZXIiOmZhbHNlLCJleHAiOjE3OTI0OTc5NjQsImlzcyI6IlJlZWZ0Lk9yZ2FuaXphdGlvblNlcnZpY2UiLCJhdWQiOiJSZWVmdC5Pcmdhbml6YXRpb25TZXJ2aWNlIn0.J-WFQAeZsM4owbUQaX3QE7Ybe4W90vqyLuiU_QHTwwmlYHzQxmWRbeiT4s1kxSGG'; //super admin
	//$receivedToken = 'eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI5OGQzYWVhYi0zZWRlLTMyNjYtOTEzYi00YTJkMGRiODVhNDMiLCJqdGkiOiJhMGE2YjVkMi0yNjg3LTQ5YWMtYjg1YS1hYWRiYjNmOTBkOTQiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiKzQ1MzEzMjMzNDAiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJTdXBlckFkbWluIiwiU2NvcGVzIjoiUmVlZkFQSSIsIlJvbGVJZCI6IjM2NjdhNTRmLWFhMjctNGUzYS04Nzc4LWFkNzU4MzdjZmU2YSIsIk9yZ2FuaXphdGlvbklkIjoiZWQxY2RiOTgtZjliZS00ZTlkLTkxODQtNGQxYzcxMzAxZDQ0IiwiVXNlU2hhcmVkRGF0YWJhc2UiOnRydWUsImNvbnNpZGVyT3JnYW5pemF0aW9uSGVhZGVyIjp0cnVlLCJleHAiOjE3MzI3OTk2NTksImlzcyI6IlJlZWZ0Lk9yZ2FuaXphdGlvblNlcnZpY2UiLCJhdWQiOiJSZWVmdC5Pcmdhbml6YXRpb25TZXJ2aWNlIn0.t_zI1z2_4N_wehjixfjfDCmBXzAKrN1YU53AlTjJt9zSGvbV9P5VxwkTERBjfgS5'; //expired
	//$receivedToken = 'eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMzEzMzg5Yi1kMDNjLTRmNzYtYjRkOC0wOGRjOGJhNDU1MzIiLCJqdGkiOiI3Mzk0ZGU4Yy04ZTZhLTRiZWUtYmZiZi03YmJmNzE5YzdmOWMiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiT3JnYW5pemF0aW9uQWRtaW4iLCJTY29wZXMiOiJSZWVmdCIsIlJvbGVJZCI6Ijk2MmYzNDM2LTNiODUtNGYxMi1hMDdkLTk3N2YzZmQ1ZGNlMiIsIk9yZ2FuaXphdGlvbklkIjoiZWQxY2RiOTgtZjliZS00ZTlkLTkxODQtNGQxYzcxMzAxZDQ0IiwiVXNlU2hhcmVkRGF0YWJhc2UiOnRydWUsIkNvbnNpZGVyT3JnYW5pemF0aW9uSGVhZGVyIjpmYWxzZSwiZXhwIjoxNzkyMzkzNTIyLCJpc3MiOiJSZWVmdC5Pcmdhbml6YXRpb25TZXJ2aWNlIiwiYXVkIjoiUmVlZnQuT3JnYW5pemF0aW9uU2VydmljZSJ9.m-RWjbjJuXNGvoAe5Tb8KvgXD0r0ZUr0X3nqZKul_jE3XuYQTSwLkpps5ygCBguk'; //admin (min service bix)
	
	$ConsiderOrganizationHeader 	= 0;
	$UseSharedDb 					= 1;
	$TargetOrganization 			= 'DF93654E-D1C3-458B-8020-359F19AD61CE';
	
	authorization($receivedToken, $ConsiderOrganizationHeader, $UseSharedDb, $TargetOrganization, 'da'); 
	
} else {


// Get token from the request header (not used GPS will receive everything in the body from web, including token, ConsiderOrganizationHeader, TargetOrganization, UseSharedDb and language.)
//$headers = getallheaders();

// Read the raw JSON data from the request body - changed so we use a GET
//$requestBody = file_get_contents('php://input');
//$requestData = json_decode($requestBody, true);

if (isset($_REQUEST['token']) ) {
	$receivedToken =  trim(str_replace('Bearer', '', $_REQUEST['token']));
} else {
	$receivedToken = null;
	http_response_code(400); // Bad Request
	displayError('Bearer token not provided');
    exit;
}

if (isset($_REQUEST['language']) ) {
	$loginLanguage =  $_REQUEST['language'];
	if (!in_array($loginLanguage, ["en", "de", "da", "no", "sv"])) {
		http_response_code(400); // Bad Request
		displayError('Language not allow (allow is ["en", "de", "da", "no", "sv"])');
		exit;
	}
} else {
	http_response_code(400); // Bad Request
    echo json_encode(['error' => 'Language missing']);
	displayError('Language missing');
    exit;
}

if (isset($_REQUEST['ConsiderOrganizationHeader']) ) {
	$ConsiderOrganizationHeader =  $_REQUEST['ConsiderOrganizationHeader'];
} else {
	http_response_code(400); // Bad Request
	displayError('ConsiderOrganizationHeader missing');
    exit;
}

if (isset($_REQUEST['UseSharedDb']) ) {
	$UseSharedDb =  $_REQUEST['UseSharedDb'];
} else {
	http_response_code(400); // Bad Request
	displayError('UseSharedDb missing');
    exit;
}

if (isset($_REQUEST['TargetOrganization']) ) {
	$TargetOrganization =  $_REQUEST['TargetOrganization'];
} else {
	http_response_code(400); // Bad Request
	displayError('TargetOrganization missing');
    exit;
}

if (isset($_REQUEST['origin']) ) {
	$origin =  $_REQUEST['origin'];
} else {
	$origin = 'production';
}

//if staging or test we have to ensure we uses right url
if (isset($_REQUEST['origin']) ) {
	if ($_REQUEST['origin'] == 'staging') {
		$rftUrl = 'https://staging-bffweb.reeft.com/api'; // staging url
		$rftUrlCustomer = 'https://staging-customer.reeft.com/api';
		$rftUrlOrganization = 'https://staging-organization.reeft.com/api';
	} else if ($_REQUEST['origin'] == 'azdev') {
		$rftUrl = 'https://azdev-bffweb.reeft.com/api'; // azdev url
		$rftUrlCustomer = 'https://azdev-customer.reeft.com/api';
		$rftUrlOrganization = 'https://azdev-organization.reeft.com/api';
	} else if ($_REQUEST['origin'] == 'aztest') {
		$rftUrl = 'https://aztest-bffweb.reeft.com/api'; // aztest url
		$rftUrlCustomer = 'https://aztest-customer.reeft.com/api';
		$rftUrlOrganization = 'https://aztest-organization.reeft.com/api';
	} 
} 

// Check for Authorization header
if ($receivedToken) {

	$auth = authorization($receivedToken, $ConsiderOrganizationHeader, $UseSharedDb, $TargetOrganization, $loginLanguage, $origin); 
	
	if ($auth == "OK") {
		http_response_code(200); // OK
	}
		
} 

}

function authorization($receivedToken, $ConsiderOrganizationHeader, $UseSharedDb, $TargetOrganization , $loginLanguage, $origin) {
	global $rftUrl;
	
	$apiUrl = $rftUrl . '/Authentication/Login/Gps'; 

	// cURL setup
	$ch = curl_init($apiUrl);;
	$headers = [
		'accept: text/plain',
		'Authorization: Bearer ' . $receivedToken,
		'ConsiderOrganizationHeader: ' . $ConsiderOrganizationHeader,
		'UseSharedDb: ' . $UseSharedDb,
		'TargetOrganization: ' . $TargetOrganization,
	];	

	// cURL options
	curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
	curl_setopt($ch, CURLOPT_POST, true); // Explicitly set the method to POST
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

	// Execute cURL request
	$response = curl_exec($ch);  
	$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
	if (curl_errno($ch)) {
		$curlError = curl_error($ch);
	} else {
		$curlError = false;
	}
	
	// Close cURL resource
	curl_close($ch);

	if ($curlError) {
		http_response_code(400); // Bad Request
		$errorMessage = 'cURL error calling Authentication/Login/Gps - ' . $curlError;
		displayError($errorMessage);
		exit;
	}
	
	if ($httpCode != '200'){
		http_response_code(400); // Bad Request
		$errorMessage = 'httpCode recieved calling Authentication/Login/Gps - ' . $httpCode;
		displayError($errorMessage);
		exit;
	} 
	
	$data = json_decode($response, true);
	
	$token 					= $data["token"];
	$refreshToken			= $data["refreshToken"];
	$_SESSION['receivedToken'] 				= $receivedToken;
	$_SESSION['ConsiderOrganizationHeader'] = $ConsiderOrganizationHeader;
	$_SESSION['UseSharedDb'] 				= $UseSharedDb;
	$_SESSION['TargetOrganization'] 		= $TargetOrganization;
	$_SESSION['loginLanguage'] 				= $loginLanguage;
	$_SESSION['token'] 						= $token;
	$_SESSION['origin'] 					= $origin;
	
	$_SESSION['refreshToken']				= $data["refreshToken"];
	$_SESSION['loginOrganizationId'] 		= $data["organizationId"];
	$_SESSION['loginOrganizationName']		= $data["organizationName"];
	$_SESSION['loginUserId'] 				= $data["userId"];
	$_SESSION['loginUserName'] 				= $data["name"];
	$_SESSION['loginUserRole'] 				= $data["role"][0];
	$_SESSION['loginDepartmentId'] 			= $data["departmentId"];
	$_SESSION['loginDepartmentName'] 		= $data["departmentName"];
	
	return "OK";
}

 // Display an error message to the user in the opened window
function displayError($errorMessage) {
    ?>
    <!DOCTYPE html>
    <html>
    <head>
        <title>Error</title>
        <style>
            body {
                font-family: Arial, sans-serif;
                text-align: center;
                margin-top: 50px;
            }
            .error-box {
                display: inline-block;
                border: 1px solid red;
                padding: 20px;
                background-color: #ffe6e6;
                color: red;
                font-weight: bold;
                border-radius: 10px;
            }
        </style>
    </head>
    <body>
        <div class="error-box">
            <p>Sorry, you do not have access to this page</p>
			<p>Please try again from the webplanner or contact support and provide the error message below</p>
            <p>Error: <?php echo htmlspecialchars($errorMessage); ?></p> 
        </div>
    </body>
    </html>
    <?php
}


?>