<?php
require_once("env.php");
require_once("connection.php");
require_once("functions.php");

$response = array('status' => 'error', 'message' => 'Something went wrong');

if (isset($_POST['token'], $_POST['new_password'], $_POST['confirm_password'])) {
    $token = $_POST['token'];
    $new_password = $_POST['new_password'];
    $confirm_password = $_POST['confirm_password'];

    if ($new_password !== $confirm_password) {
        $response['message'] = 'Passwords do not match.';
        echo json_encode($response);
        exit();
    }

    // Verify the token
    $sql = "SELECT user_id FROM password_resets WHERE token = ? AND expires_at > NOW()";
    $stmt = $conn->prepare($sql);
    $stmt->bind_param("s", $token);
    $stmt->execute();
    $result = $stmt->get_result();

    if ($result->num_rows === 0) {
        $response['message'] = 'Token is invalid or expired.';
        echo json_encode($response);
        exit();
    }

    $user = $result->fetch_assoc();
    $user_id = $user['user_id'];

    // Hash the new password
    $new_password_hash = password_hash($new_password, PASSWORD_BCRYPT);

    // Update the new password in the database
    $sql = "UPDATE users SET password = ? WHERE user_id = ?";
    $stmt = $conn->prepare($sql);
    $stmt->bind_param("si", $new_password_hash, $user_id);

    if ($stmt->execute()) {
        // Delete the token from the database
        $sql = "DELETE FROM password_resets WHERE token = ?";
        $stmt = $conn->prepare($sql);
        $stmt->bind_param("s", $token);
        $stmt->execute();

        $response['status'] = 'success';
        $response['message'] = 'Password has been successfully reset.';
    } else {
        $response['message'] = 'Failed to reset password.';
    }
} else {
    $response['message'] = 'Invalid form submission.';
}

echo json_encode($response);
?>