<?php
/**
 * Plugin Name: Aeroidea SSO
 * Description: SSO + Auto-provisioning desde Auth
 */

// =====================
// CONFIGURACIÓN
// =====================
define('SSO_SECRET', '982c9da697e8f812f2c9c20b203db4fe');
define('SSO_COOKIE', 'aeroidea_sso');
define('SSO_DEFAULT_ROLE', 'subscriber'); // cambia si quieres

// =====================
// JWT DECODER
// =====================
function aeroidea_jwt_decode($jwt) {
    $parts = explode('.', $jwt);
    if (count($parts) !== 3) return false;

    [$header, $payload, $signature] = $parts;

    $valid_signature = rtrim(strtr(
        base64_encode(
            hash_hmac('sha256', "$header.$payload", SSO_SECRET, true)
        ),
        '+/', '-_'
    ), '=');

    if (!hash_equals($valid_signature, $signature)) return false;

    $data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
    if (!$data || $data['exp'] < time()) return false;

    return $data;
}

// =====================
// AUTO LOGIN + AUTO CREATE
// =====================
add_action('init', function () {

    // Ya logueado
    if (is_user_logged_in()) return;

    // No hay cookie
    if (empty($_COOKIE[SSO_COOKIE])) return;

    $payload = aeroidea_jwt_decode($_COOKIE[SSO_COOKIE]);
    if (!$payload) return;

    $global_id = sanitize_text_field($payload['sub']);
    $email     = sanitize_email($payload['email']);

    // 1️⃣ Buscar usuario por global_user_id
    $users = get_users([
        'meta_key'   => 'global_user_id',
        'meta_value' => $global_id,
        'number'     => 1
    ]);

    // =====================
    // 2️⃣ SI NO EXISTE → CREAR USUARIO
    // =====================
    if (!$users) {

        // ¿Existe por email?
        $user = get_user_by('email', $email);

        if (!$user) {
            // Crear usuario nuevo
            $user_id = wp_create_user(
                $email,
                wp_generate_password(),
                $email
            );

            if (is_wp_error($user_id)) {
                error_log('SSO: Error creando usuario');
                return;
            }

            $user = get_user_by('id', $user_id);

            // Rol por defecto
            $user->set_role(SSO_DEFAULT_ROLE);
        }

        // Vincular global_user_id
        update_user_meta($user->ID, 'global_user_id', $global_id);
    } else {
        $user = $users[0];
    }

    // =====================
    // 3️⃣ LOGUEAR
    // =====================
    wp_set_current_user($user->ID);
    wp_set_auth_cookie($user->ID);

}, 20);