<?php
class Bluesky_Auth {
    private $identifier;
    private $password;
    private $api_domain;

    public function __construct($identifier, $password) {
        $this->identifier = $identifier;
        $this->password = $password;
        
        // Get domain with fallback and force https://
        $domain = get_option('bluesky_domain', 'https://bsky.social');
        if (empty($domain)) {
            $domain = 'https://bsky.social';
        }
        if (strpos($domain, 'https://') !== 0) {
            $domain = 'https://' . $domain;
        }
        
        // Ensure proper URL format
        $this->api_domain = rtrim($domain, '/') . '/';
        
        // Debug logs
        error_log('Bluesky Auth - Using domain setting: ' . get_option('bluesky_domain'));
        error_log('Bluesky Auth - Processed domain: ' . $this->api_domain);
        error_log('Bluesky Auth - Identifier: ' . $this->identifier);
    }

    public function get_access_token() {
        if ($this->should_refresh_token()) {
            return $this->refresh_access_token();
        }

        $token_url = $this->api_domain . 'xrpc/com.atproto.server.createSession';
        
        // Debug log
        error_log('Bluesky Auth - Attempting connection to: ' . $token_url);

        $headers = array(
            'Content-Type' => 'application/json',
        );

        $body = json_encode(array(
            'identifier' => $this->identifier,
            'password' => $this->password,
        ));

        // Debug log
        error_log('Bluesky Auth - Request body: ' . $body);

        $wp_version = get_bloginfo('version');
        $user_agent = apply_filters('http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo('url'));

        $response = wp_remote_post($token_url, array(
            'headers' => $headers,
            'user-agent' => "$user_agent; Bluesky Connector",
            'body' => $body,
            'timeout' => 30, // Increase timeout
        ));

        if (is_wp_error($response)) {
            $error_message = $response->get_error_message();
            error_log('Bluesky Auth Error: ' . $error_message);
            return array('error' => $error_message);
        }

        // Debug response
        $status_code = wp_remote_retrieve_response_code($response);
        $response_body = wp_remote_retrieve_body($response);
        error_log('Bluesky Auth - Response status: ' . $status_code);
        error_log('Bluesky Auth - Response body: ' . $response_body);

        $data = json_decode($response_body, true);

        if (!empty($data['accessJwt']) && !empty($data['refreshJwt']) && !empty($data['did'])) {
            update_option('bluesky_access_jwt', sanitize_text_field($data['accessJwt']));
            update_option('bluesky_refresh_jwt', sanitize_text_field($data['refreshJwt']));
            update_option('bluesky_did', sanitize_text_field($data['did']));
            update_option('bluesky_token_created', time());
            delete_option('bluesky_password'); // Don't store password
            return $data['accessJwt'];
        }

        // More detailed error reporting
        $error_message = isset($data['error']) ? $data['error'] : 'Failed to get access token';
        if (isset($data['message'])) {
            $error_message .= ' - ' . $data['message'];
        }
        error_log('Bluesky Auth - Error: ' . $error_message);
        return array('error' => $error_message);
    }

    private function should_refresh_token() {
        $token_created = get_option('bluesky_token_created');
        $refresh_token = get_option('bluesky_refresh_jwt');
        
        // Refresh if token is older than 23 hours or doesn't exist
        return !empty($refresh_token) && ($token_created < (time() - 82800));
    }

    private function refresh_access_token() {
        $refresh_token = get_option('bluesky_refresh_jwt');
        if (empty($refresh_token)) {
            return array('error' => 'No refresh token available');
        }

        $refresh_url = $this->api_domain . 'xrpc/com.atproto.server.refreshSession';

        // Debug log
        error_log('Bluesky Auth - Attempting token refresh at: ' . $refresh_url);

        $wp_version = get_bloginfo('version');
        $user_agent = apply_filters('http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo('url'));

        $response = wp_remote_post($refresh_url, array(
            'headers' => array(
                'Authorization' => 'Bearer ' . $refresh_token,
                'Content-Type' => 'application/json',
            ),
            'user-agent' => "$user_agent; Bluesky Connector",
            'timeout' => 30,
        ));

        if (is_wp_error($response)) {
            $error_message = $response->get_error_message();
            error_log('Bluesky Token Refresh Error: ' . $error_message);
            return array('error' => $error_message);
        }

        // Debug response
        $status_code = wp_remote_retrieve_response_code($response);
        $response_body = wp_remote_retrieve_body($response);
        error_log('Bluesky Auth Refresh - Response status: ' . $status_code);
        error_log('Bluesky Auth Refresh - Response body: ' . $response_body);

        $data = json_decode($response_body, true);

        if (!empty($data['accessJwt']) && !empty($data['refreshJwt'])) {
            update_option('bluesky_access_jwt', sanitize_text_field($data['accessJwt']));
            update_option('bluesky_refresh_jwt', sanitize_text_field($data['refreshJwt']));
            update_option('bluesky_token_created', time());
            return $data['accessJwt'];
        }

        $error_message = isset($data['error']) ? $data['error'] : 'Failed to refresh token';
        if (isset($data['message'])) {
            $error_message .= ' - ' . $data['message'];
        }
        error_log('Bluesky Auth Refresh - Error: ' . $error_message);
        return array('error' => $error_message);
    }
}