<?php

declare(strict_types = 1);

/**
 * @author Robert Strutts
 * @copyright (c) 2026, Robert Strutts
 * @license MIT
 */
namespace IOcornerstone\Framework;

use IOcornerstone\Framework\Services\Sessions\{
    RedisSessionHandler as RedisSes,
    FileSessionHandler as FileSes,
    CookieSessionHandler as CookieSes
};
use IOcornerstone\Framework\{
    Common,
    Configure,
    Registry
};

final class SessionManagement
{
    public static function start(
      array $options = [], 
      string $type = "",
      $enc = false
  ): void {
    if (empty($type)) {
        $type = Configure::get('sessions', 'type');
    }  
    if ($enc === false) {
        $exists = Registry::get('di')->exists('session_encryption');
        if ($exists) {  
            $enc = Registry::get('di')->get_service('session_encryption');
        }
    }
    if ($type === "none" || $type === "php") {
        self::makeSessionStarted();
        return;
    }
    $handler = match($type) {
        'redis' => new RedisSes($enc, $options),
        'files' => new FileSes($enc, $options),
        default => new CookieSes($enc, $options),
      };
    session_set_save_handler($handler);
    self::makeSessionStarted();
  }
    
  private static function makeSessionStarted(bool $force_secure = false) {
    if ((function_exists('session_status') && session_status() !== PHP_SESSION_ACTIVE) || !session_id()) {
      $name = Configure::get('sessions', 'session_name');
      if ($name !== null) {
        session_name($name);
      }

      if (! headers_sent()) {
        $use_secure = (USE_SECURE) ? 1 : 0;
        $use_secure = ($force_secure) ? 1 : $use_secure;
        session_start([
            'cookie_lifetime' => 0, // until browser is closed
            'cookie_secure' => $use_secure, // require secure cookies if HTTPS is used
            'use_only_cookies' => 1, // should be 1 to prevent URL attacks
            'cookie_httponly' => 1, // should be 1 to disable JavaScript access
            'cookie_samesite' => 'Strict', // should be Strict to prevent XSS
            // So you need it when you do not want to allow a user to pre-define the session ID value. You normally want to prevent that to reduce the attack surface.
            'use_strict_mode' => 1, // Note: Enabling session.use_strict_mode is mandatory for general session security. All sites are advised to enable this.
            'use_trans_sid' => 0, //  should be kept at the default of 0: URL based session management has additional security risks
        ]);
      }
    }
  }
  
    public static function hasUserRight(string $right): bool {
        $rights = (isset($_SESSION['users_rights'])) ? $_SESSION['users_rights'] : false;
        if ($rights === false) {
            return false;
        }
        if (! json_validate($right)) {
            return false;
        }
        $assoc = true; // Use Array format
        $a_rights = json_decode($rights, $assoc);
        if (in_array($right, $a_rights)) {
            return true;
        }
        return false;
    }

    public static function getUserId(): int {
        $sid = (isset($_SESSION['user_id'])) ? $_SESSION['user_id'] : 0;
        return intval($sid);
    }
}