<?php

namespace Dashboard\Unifi\Http\Controllers;

use App\Models\Setting;
use Illuminate\Http\Request;
use Illuminate\Routing\Controller;

/**
 * Token-protected JSON endpoints for external integrations (signage,
 * kiosks, room displays, etc.) that need the current rotating WiFi
 * password without going through the dashboard UI.
 */
class WifiApiController extends Controller
{
    public function currentPassword(Request $request)
    {
        if (! Setting::get('unifi.api.enabled')) {
            return response()->json(['error' => 'API disabled'], 503);
        }

        $expected = Setting::get('unifi.api_token');
        if (! $expected) {
            return response()->json(['error' => 'API token not configured'], 503);
        }

        $provided = $request->bearerToken() ?: $request->query('token');
        if (! $provided || ! hash_equals($expected, $provided)) {
            return response()->json(['error' => 'Unauthorized'], 401);
        }

        $password = Setting::get('unifi.password_rotation.last_password');
        if (! $password) {
            return response()->json([
                'error' => 'No rotated password recorded yet — wait for the next scheduled rotation or run unifi:rotate-passwords --force.',
            ], 404);
        }

        return response()->json([
            'password'   => $password,
            'rotated_at' => Setting::get('unifi.password_rotation.last_rotated_at'),
        ]);
    }
}