<?php
// WEVAL Authentik SSO — OAuth2 Callback (with debug)
session_set_cookie_params(["lifetime"=>86400,"path"=>"/","domain"=>".weval-consulting.com","secure"=>true,"httponly"=>true,"samesite"=>"Lax"]);
session_start();
$code = $_GET['code'] ?? '';
$state = $_GET['state'] ?? '';
$error = $_GET['error'] ?? '';

$log = function($msg) { error_log("SSO_CB: $msg"); file_put_contents("/tmp/sso-debug.log", date("Y-m-d H:i:s")." $msg\n", FILE_APPEND); };

if($error) { $log("ERROR: $error"); header('Location: /login.html?error=sso_'.urlencode($error)); exit; }
if(!$code) { $log("NO CODE"); header('Location: /login.html?error=no_code'); exit; }

$log("Code received: ".substr($code,0,20)."... State: $state");

$tokenUrl = 'http://127.0.0.1:9090/application/o/token/';
$clientId = 'aB9IF9xQ8L9u7Ty1Eq63dMYFgy59O58fqzuNulwJ';
$clientSecret = 'ZfGUQFAn9mAxerG5wOVvfCWb4QZ0YlGW0s8AxLhY5qkChGhQY8hQeKw4nSvuH79lEPwAEs6IMggeygWN7sjqpJ2WkWgKMcuQUCBxl5CC6ly7Xih9Nd20LUgPv86cG1ZP';
$redirectUri = 'https://weval-consulting.com/api/auth-callback.php';

$postData = http_build_query(['grant_type'=>'authorization_code','code'=>$code,'redirect_uri'=>$redirectUri,'client_id'=>$clientId,'client_secret'=>$clientSecret]);

$ch = curl_init($tokenUrl);
curl_setopt_array($ch, [CURLOPT_POST=>true, CURLOPT_RETURNTRANSFER=>true, CURLOPT_TIMEOUT=>10, CURLOPT_POSTFIELDS=>$postData]);
$resp = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$curlError = curl_error($ch);
curl_close($ch);

$log("Token response HTTP $httpCode: $resp");
if($curlError) $log("CURL ERROR: $curlError");

$token = json_decode($resp, true);
if(empty($token['access_token'])) {
    $log("TOKEN FAIL: no access_token in response");
    header('Location: /login.html?error=token_fail&manual=1');
    exit;
}

// Get user info
$ch = curl_init('http://127.0.0.1:9090/application/o/userinfo/');
curl_setopt_array($ch, [CURLOPT_RETURNTRANSFER=>true, CURLOPT_TIMEOUT=>5, CURLOPT_HTTPHEADER=>['Authorization: Bearer '.$token['access_token']]]);
$userResp = curl_exec($ch); curl_close($ch);
$user = json_decode($userResp, true);
$username = $user['preferred_username'] ?? $user['sub'] ?? 'sso_user';
$email = $user['email'] ?? '';

$log("User: $username ($email)");

session_regenerate_id(true);
$_SESSION['wu'] = $username;
$_SESSION['wa'] = 1;
$_SESSION['weval_auth'] = true;
$_SESSION['weval_user'] = $username;
$_SESSION['sso'] = true;
$_SESSION['email'] = $email;

$redirect = '/products/workspace.html';
if($state) { $decoded = base64_decode($state); if($decoded && strpos($decoded,'/')===0) $redirect = $decoded; }
$log("Redirect: $redirect");
header('Location: '.$redirect);