<?php
/**
 * Secure Magic Login Handler
 */

define('WP_USE_THEMES', false);
require_once __DIR__ . '/wp-load.php';

// Do not cache magic login
nocache_headers();

// --- Helpers -------------------------------------------------

function redirect_home() {
    wp_safe_redirect(home_url());
    exit;
}

// --- Input ---------------------------------------------------

$username = isset($_GET['username'])
    ? sanitize_user(wp_unslash($_GET['username']))
    : '';

$token = isset($_GET['token'])
    ? sanitize_text_field(wp_unslash($_GET['token']))
    : '';

if (empty($username) || empty($token)) {
    redirect_home();
}

// --- User Lookup --------------------------------------------

$user = get_user_by('login', $username);

if (!$user) {
    redirect_home();
}

// --- Token Validation ---------------------------------------

$stored_token   = get_user_meta($user->ID, 'magic_login_token', true);
$created        = (int) get_user_meta($user->ID, 'magic_login_created', true);
$expires_in     = 300; // 5 minutes

if (
    empty($stored_token) ||
    empty($created) ||
    !hash_equals($stored_token, $token) ||
    (time() - $created) > $expires_in
) {
    redirect_home();
}

// --- Consume Token (ONE-TIME USE) ----------------------------

delete_user_meta($user->ID, 'magic_login_token');
delete_user_meta($user->ID, 'magic_login_created');

// --- Login ---------------------------------------------------

wp_clear_auth_cookie();
wp_set_current_user($user->ID);
wp_set_auth_cookie($user->ID, true);

// --- Redirect -----------------------------------------------

wp_safe_redirect(admin_url());
exit;