<?php

# normalize usernames (for case-insensitive etc. logins)
function format_auth_username($str) {
    $str = iconv('utf8', 'ascii//TRANSLIT', $str);
    $str = strtolower(trim($str));
    $str = preg_replace('/[^a-z0-9]/', '', $str);
    return $str;
}

# Called automatically by session_auth().
# Only call if you've just verified that someone has logged in, or has clicked
# a valid password reset link.
function session_auth_init($id = false, $password_reset = false) {
    $GLOBALS['wfpl_session_auth'] = [
        'id' => null,
        'role' => null,
        'name' => null,
        'username' => null,
        'last_active' => null,
        'password_reset' => null
    ];

    if ($id) {
        $user = db_get_assoc('users', 'role,name,username', 'where id=%i', $id);
        $now = time();
        db_update('users', 'last_active', $now, 'where id=%i', $id);
        $GLOBALS['wfpl_session_auth']['id'] = $id;
        $GLOBALS['wfpl_session_auth']['role'] = $user['role'];
        $GLOBALS['wfpl_session_auth']['name'] = $user['name'];
        $GLOBALS['wfpl_session_auth']['username'] = $user['username'];
        $GLOBALS['wfpl_session_auth']['last_active'] = $now;
    }

    if ($password_reset) {
        $GLOBALS['wfpl_session_auth']['password_reset'] = true;
        $GLOBALS['wfpl_session_auth']['id'] = session_get('auth_password_reset_id');
    }
}

# return an assoc containing info about the authenticated user, see session_auth_init
function session_auth() {
    if (!isset($GLOBALS['wfpl_session_auth'])) {
        $id = false;
        $reset = false;
        if (session_exists()) {
            $id = session_get('auth_id');
            if (!$id) {
                $r = session_get('auth_password_reset');
                if (strlen($r)) {
                    $r = (int) format_int_0($r);
                    if (time() < $r) {
                        $reset = true;
                    } else {
                        message('Oops, your temporary access (to change your password) has expired');
                        session_clear('auth_password_reset');
                    }
                }
            }
        }
        session_auth_init($id, $reset);
    }
    return $GLOBALS['wfpl_session_auth'];
}

# return true if the logged in user is allowed to $priv
# (false if they are not logged in, or aren't alowed to $priv)
function session_auth_can($priv) {
    $s = session_auth();
    if ($s['role'] === 'admin') {
        return true;
    }
    return false;
}

# return ONLY IF the currently logged in user can $priv
# otherwise, it displays the login page, and exit early
function session_auth_must($priv) {
    if (session_auth_can($priv)) {
        return;
    }
    if (!isset($_REQUEST['after_login'])) {
        $_REQUEST['after_login_url'] = this_url();
    }
    wfpl_main('login');
    exit();
}