<?php
require_once __DIR__ . '/../inc/config.php';
require_once __DIR__ . '/../inc/auth.php';
require_once __DIR__ . '/../inc/oidc.php';

session_start_safe();

// Vérification state CSRF
$state = $_GET['state'] ?? '';
if (!$state || $state !== ($_SESSION['oidc_state'] ?? '')) {
    http_response_code(400);
    exit('Erreur : state OIDC invalide.');
}
unset($_SESSION['oidc_state'], $_SESSION['oidc_nonce']);

$code = $_GET['code'] ?? '';
if (!$code) {
    $error = $_GET['error_description'] ?? $_GET['error'] ?? 'Connexion annulée.';
    header('Location: /?error=' . urlencode($error));
    exit;
}

try {
    $tokens   = oidc_exchange_code($code);
    $userinfo = oidc_userinfo($tokens['access_token']);

    $groups      = $userinfo['groups'] ?? [];
    $is_admin    = (bool)array_intersect(ADMIN_GROUPS, $groups);
    $is_adherent = in_array(ADHERENT_GROUP, $groups, true) || $is_admin;

    $_SESSION['user'] = [
        'sub'         => $userinfo['sub'],
        'name'        => $userinfo['name'] ?? $userinfo['preferred_username'] ?? '',
        'first_name'  => $userinfo['given_name']  ?? '',
        'last_name'   => $userinfo['family_name'] ?? '',
        'email'       => $userinfo['email'] ?? '',
        'username'    => $userinfo['preferred_username'] ?? '',
        'groups'      => $groups,
        'is_admin'    => $is_admin,
        'is_adherent' => $is_adherent,
    ];
    $_SESSION['id_token'] = $tokens['id_token'] ?? '';

    $next = $_SESSION['next_url'] ?? '/profile.php';
    unset($_SESSION['next_url']);
    header('Location: ' . $next);
    exit;

} catch (Exception $e) {
    http_response_code(500);
    exit('Erreur d\'authentification : ' . htmlspecialchars($e->getMessage()));
}