<?php

namespace App\Core;

class Session
{
    public function __construct()
    {
        if (session_status() === PHP_SESSION_NONE) {
            session_start();
        }
    }

    public function set(string $key, $value): void
    {
        $_SESSION[$key] = $value;
    }

    public function get(string $key, $default = null)
    {
        return $_SESSION[$key] ?? $default;
    }

    public function has(string $key): bool
    {
        return isset($_SESSION[$key]);
    }

    public function remove(string $key): void
    {
        unset($_SESSION[$key]);
    }

    public function destroy(): void
    {
        session_destroy();
    }

    public function regenerate(): bool
    {
        return session_regenerate_id(true);
    }

    public function flash(string $key, $value): void
    {
        $_SESSION['flash'][$key] = $value;
    }

    public function getFlash(string $key, $default = null)
    {
        $value = $_SESSION['flash'][$key] ?? $default;
        unset($_SESSION['flash'][$key]);
        return $value;
    }

    public function hasFlash(string $key): bool
    {
        return isset($_SESSION['flash'][$key]);
    }

    public function getFlashMessages(): array
    {
        $messages = $_SESSION['flash'] ?? [];
        unset($_SESSION['flash']);
        return $messages;
    }

    public function setUser(array $user): void
    {
        $this->set('user', $user);
        $this->regenerate();
    }

    public function getUser(): ?array
    {
        return $this->get('user');
    }

    public function isLoggedIn(): bool
    {
        return $this->has('user');
    }

    public function logout(): void
    {
        $this->remove('user');
        $this->destroy();
    }

    public function getUserId(): ?int
    {
        $user = $this->getUser();
        return $user['id'] ?? null;
    }

    public function getUserRole(): ?string
    {
        $user = $this->getUser();
        return $user['role'] ?? null;
    }

    public function isAdmin(): bool
    {
        return $this->getUserRole() === 'admin';
    }

    public function isAuditor(): bool
    {
        return $this->getUserRole() === 'auditor';
    }

    public function isEmployee(): bool
    {
        return $this->getUserRole() === 'employee';
    }

    public function generateCsrfToken(): string
    {
        $token = bin2hex(random_bytes(32));
        $this->set('csrf_token', $token);
        $this->set('csrf_token_time', time());
        return $token;
    }

    public function validateCsrfToken(string $token): bool
    {
        $storedToken = $this->get('csrf_token');
        $tokenTime = $this->get('csrf_token_time', 0);
        
        if (!$storedToken || !$tokenTime) {
            return false;
        }

        // Check if token is expired (1 hour)
        if (time() - $tokenTime > CSRF_TOKEN_LIFETIME) {
            $this->remove('csrf_token');
            $this->remove('csrf_token_time');
            return false;
        }

        return hash_equals($storedToken, $token);
    }

    public function getCsrfToken(): string
    {
        $token = $this->get('csrf_token');
        if (!$token) {
            $token = $this->generateCsrfToken();
        }
        return $token;
    }

    public function setLocale(string $locale): void
    {
        $this->set('locale', $locale);
    }

    public function getLocale(): string
    {
        return $this->get('locale', 'de');
    }

    public function setLastActivity(): void
    {
        $this->set('last_activity', time());
    }

    public function isExpired(int $timeout = 3600): bool
    {
        $lastActivity = $this->get('last_activity', 0);
        return (time() - $lastActivity) > $timeout;
    }

    public function setLoginAttempts(int $attempts): void
    {
        $this->set('login_attempts', $attempts);
        $this->set('login_attempts_time', time());
    }

    public function getLoginAttempts(): int
    {
        $attempts = $this->get('login_attempts', 0);
        $attemptsTime = $this->get('login_attempts_time', 0);
        
        // Reset attempts if lockout time has passed
        if (time() - $attemptsTime > LOGIN_LOCKOUT_TIME) {
            $this->setLoginAttempts(0);
            return 0;
        }
        
        return $attempts;
    }

    public function isLockedOut(): bool
    {
        return $this->getLoginAttempts() >= LOGIN_MAX_ATTEMPTS;
    }
}