<?php

/**
 * Make things happen when buttons are pressed and forms submitted.
 */

require_once __DIR__ . "/required.php";

// If the user presses Sign Out but we're not logged in anymore,
// we don't want to show a nasty error.
if ($VARS['action'] == 'signout' && $_SESSION['loggedin'] != true) {
    session_destroy();
    header('Location: index.php');
    die("Logged out (session was expired anyways).");
}

dieifnotloggedin();

engageRateLimit();

require_once __DIR__ . "/lib/login.php";

function returnToSender($msg, $arg = "") {
    global $VARS;
    if ($arg == "") {
        header("Location: home.php?page=" . urlencode($VARS['source']) . "&msg=$msg");
    } else {
        header("Location: home.php?page=" . urlencode($VARS['source']) . "&msg=$msg&arg=" . urlencode($arg));
    }
    die();
}

switch ($VARS['action']) {
    case "signout":
        insertAuthLog(11, $_SESSION['uid']);
        session_destroy();
        header('Location: index.php');
        die("Logged out.");
    case "chpasswd":
        $error = [];
        $result = change_password($VARS['oldpass'], $VARS['newpass'], $VARS['conpass'], $error);
        if ($result === TRUE) {
            returnToSender("password_updated");
        }
        switch (count($error)) {
            case 1:
                returnToSender($error[0]);
            case 2:
                returnToSender($error[0], $error[1]);
            default:
                returnToSender("generic_op_error");
        }
        break;
    case "add2fa":
        if (is_empty($VARS['secret'])) {
            returnToSender("invalid_parameters");
        }
        $database->update('accounts', ['authsecret' => $VARS['secret']], ['uid' => $_SESSION['uid']]);
        insertAuthLog(9, $_SESSION['uid']);
        returnToSender("2fa_enabled");
    case "rm2fa":
        $database->update('accounts', ['authsecret' => ""], ['uid' => $_SESSION['uid']]);
        insertAuthLog(10, $_SESSION['uid']);
        returnToSender("2fa_removed");
        break;
}