<?php
ob_start();

// Turn every PHP error/warning/notice into an ErrorException
// so set_exception_handler catches everything
set_error_handler(function(int $errno, string $errstr, string $errfile, int $errline): bool {
    throw new ErrorException($errstr, $errno, $errno, $errfile, $errline);
});

// Catch ALL uncaught exceptions and return clean JSON
set_exception_handler(function(Throwable $e): void {
    ob_clean();
    header('Content-Type: application/json; charset=utf-8');
    http_response_code(500);
    echo json_encode([
        'success' => false,
        'error'   => $e->getMessage(),
        'type'    => get_class($e),
        'file'    => basename($e->getFile()),
        'line'    => $e->getLine(),
        'trace'   => $e->getTraceAsString(),
    ], JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT);
    exit;
});

require_once __DIR__ . '/db.php';

function require_auth(): array {
    $token = $_POST['token'] ?? $_GET['token'] ?? '';
    if (empty($token)) {
        json_error('Authentication token required', 401);
    }

    $stmt = db()->prepare(
        'SELECT t.token, t.expires_at, t.safesure_users_id,
                u.record_id, u.safesure_users_name, u.name,
                u.email, u.user_type_id, u.clients_multi,
                u.assessor_number, u.moderator_number
         FROM api_tokens t
         JOIN safesure_users u ON u.record_id = t.safesure_users_id
         WHERE t.token = ? AND t.expires_at > NOW()
         LIMIT 1'
    );
    $stmt->execute([$token]);
    $user = $stmt->fetch();

    if (!$user) {
        json_error('Invalid or expired token', 401);
    }

    db()->prepare('UPDATE api_tokens SET last_used_at = NOW() WHERE token = ?')
        ->execute([$token]);

    return $user;
}

function require_admin(array $user): void {
    if ((int)$user['user_type_id'] !== 1) {
        json_error('Admin access required', 403);
    }
}

function json_response(array $data, int $status = 200): void {
    while (ob_get_level()) ob_end_clean();
    header('Content-Type: application/json; charset=utf-8');
    header('Access-Control-Allow-Origin: *');
    http_response_code($status);
    echo json_encode($data, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
    exit;
}

function json_error(string $message, int $status = 400): void {
    json_response(['success' => false, 'error' => $message], $status);
}

function json_success(array $data = [], string $message = 'OK'): void {
    json_response(array_merge(['success' => true, 'message' => $message], $data));
}

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    ob_clean();
    header('Access-Control-Allow-Origin: *');
    header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
    header('Access-Control-Allow-Headers: Content-Type');
    exit;
}