<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Models\ActivityLog;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class LoginController extends Controller
{
    public function showForm()
    {
        return view('auth.login');
    }

    public function login(Request $request)
    {
        // Honeypot — Bots füllen versteckte Felder aus
        if ($request->filled('website')) {
            ActivityLog::log('bot_blocked', 'Bot blocked on login (honeypot triggered)');

            return back()
                ->withInput($request->only('email'))
                ->withErrors(['email' => __('auth_ui.login_failed')]);
        }

        $credentials = $request->validate([
            'email' => ['required', 'email'],
            'password' => ['required'],
        ]);

        // Deaktivierte Benutzer dürfen sich nicht einloggen (V01)
        $user = User::where('email', $request->email)->first();
        if ($user && !$user->is_active) {
            return back()
                ->withInput($request->only('email'))
                ->withErrors(['email' => __('auth_ui.login_failed')]);
        }

        if (!Auth::attempt($credentials, $request->boolean('remember'))) {
            $maskedEmail = $this->maskEmail($request->email);
            ActivityLog::log('login_failed', __('admin.log_login_failed', ['email' => $maskedEmail]));

            return back()
                ->withInput($request->only('email'))
                ->withErrors(['email' => __('auth_ui.login_failed')]);
        }

        $request->session()->regenerate();

        $request->user()->last_login_at = now();
        $request->user()->save();

        ActivityLog::log('login', __('admin.log_login', ['name' => $request->user()->name]), 'User', $request->user()->id);

        return redirect()->intended(route('dashboard'));
    }

    public function logout(Request $request)
    {
        ActivityLog::log('logout', __('admin.log_logout', ['name' => $request->user()->name]), 'User', $request->user()->id);

        Auth::logout();
        $request->session()->invalidate();
        $request->session()->regenerateToken();

        return redirect()->route('login');
    }

    private function maskEmail(string $email): string
    {
        $parts = explode('@', $email, 2);
        if (count($parts) !== 2) {
            return '***';
        }

        $local = $parts[0];
        $masked = mb_substr($local, 0, 2) . str_repeat('*', max(mb_strlen($local) - 2, 2));

        return $masked . '@' . $parts[1];
    }
}