<cfsetting showdebugoutput="false">
<cfsetting enablecfoutputonly="true">
<cfcontent type="application/json; charset=utf-8" reset="true">
<cfheader name="Cache-Control" value="no-store">

<cfscript>
/**
 * Send OTP to phone number for LOGIN (existing verified accounts)
 *
 * POST: { "phone": "5551234567" }
 *
 * Returns: { OK: true, UUID: "..." } or { OK: false, ERROR: "..." }
 *
 * Only works for verified accounts. Returns error if no account found.
 */

function apiAbort(required struct payload) {
    writeOutput(serializeJSON(payload));
    abort;
}

function readJsonBody() {
    var raw = getHttpRequestData().content;
    if (isNull(raw)) raw = "";
    if (!len(trim(raw))) return {};
    try {
        var data = deserializeJSON(raw);
        if (isStruct(data)) return data;
    } catch (any e) {}
    return {};
}

function normalizePhone(required string p) {
    var x = trim(arguments.p);
    x = reReplace(x, "[^0-9]", "", "all");
    if (len(x) == 11 && left(x, 1) == "1") {
        x = right(x, 10);
    }
    return x;
}

function generateOTP() {
    return randRange(100000, 999999);
}

try {
    data = readJsonBody();
    phone = structKeyExists(data, "phone") ? normalizePhone(data.phone) : "";

    if (len(phone) != 10) {
        apiAbort({ "OK": false, "ERROR": "invalid_phone", "MESSAGE": "Please enter a valid 10-digit phone number" });
    }

    // Find verified account with this phone
    qUser = queryTimed("
        SELECT ID, UUID
        FROM Users
        WHERE ContactNumber = :phone
          AND IsContactVerified = 1
        LIMIT 1
    ", { phone: { value: phone, cfsqltype: "cf_sql_varchar" } }, { datasource: "payfrit" });

    if (qUser.recordCount == 0) {
        apiAbort({ "OK": false, "ERROR": "no_account", "MESSAGE": "We couldn't find an account with this number. Try signing up instead!" });
    }

    // If user has no UUID (legacy account), generate one
    userUUID = qUser.UUID;
    if (!len(trim(userUUID))) {
        userUUID = replace(createUUID(), "-", "", "all");
        queryTimed("
            UPDATE Users SET UUID = :uuid WHERE ID = :userId
        ", {
            uuid: { value: userUUID, cfsqltype: "cf_sql_varchar" },
            userId: { value: qUser.ID, cfsqltype: "cf_sql_integer" }
        }, { datasource: "payfrit" });
    }

    // Generate OTP (use magic code on dev for easy testing)
    otp = generateOTP();
    if (structKeyExists(application, "MAGIC_OTP_ENABLED") && application.MAGIC_OTP_ENABLED
        && structKeyExists(application, "MAGIC_OTP_CODE") && len(application.MAGIC_OTP_CODE)) {
        otp = application.MAGIC_OTP_CODE;
    }
    queryTimed("
        UPDATE Users
        SET MobileVerifyCode = :otp
        WHERE ID = :userId
    ", {
        otp: { value: otp, cfsqltype: "cf_sql_varchar" },
        userId: { value: qUser.ID, cfsqltype: "cf_sql_integer" }
    }, { datasource: "payfrit" });

    // Send OTP via Twilio (skip on dev server)
    smsMessage = "Code saved (SMS skipped in dev)";
    isDev = findNoCase("dev.payfrit.com", cgi.SERVER_NAME) > 0;

    if (!isDev && structKeyExists(application, "twilioObj")) {
        try {
            smsResult = application.twilioObj.sendSMS(
                recipientNumber: "+1" & phone,
                messageBody: "Your Payfrit code is: " & otp
            );
            smsMessage = smsResult.success ? "Login code sent" : "SMS failed - please try again";
        } catch (any smsErr) {
            smsMessage = "SMS error: " & smsErr.message;
        }
    }

    try{logPerf(0);}catch(any e){}
    resp = {
        "OK": true,
        "UUID": userUUID,
        "MESSAGE": smsMessage
    };
    if (isDev) {
        resp["DEV_OTP"] = otp;
    }
    writeOutput(serializeJSON(resp));

} catch (any e) {
    apiAbort({
        "OK": false,
        "ERROR": "server_error",
        "MESSAGE": e.message
    });
}
</cfscript>