<?php
define('secure_34563$52', true);

//------------------------------------------
// Get DATA from API
//------------------------------------------   
$request = explode('/', trim($_SERVER['PATH_INFO'],'/'));
//$input = json_decode(file_get_contents('php://input'),true);
$post_data_curl = fopen('php://input', 'r');
$input = stream_get_contents($post_data_curl);

//------------------------------------------
// Include functions
//------------------------------------------   
require_once './assets/functions.php';
include './settings/settings_redirector.php';
include './settings/config_redirector.php';

//------------------------------------------
// Header security - enabled via config
//------------------------------------------   
if (header_security){
  
    // Array of allowed domain patterns (without the protocol part)
    $allowedDomainPatterns = [
        'vanbeers.tv',     
        'soveliti.nl',
        'veliti.nl',
        'gewoonlekkerspaans.nl'
    ];

    // Get the origin from the request headers
    $origin = $_SERVER['HTTP_ORIGIN'] ?? '';

    // Set CORS headers if origin is allowed
    if (isOriginAllowed($origin, $allowedDomainPatterns)) {
        header("Access-Control-Allow-Origin: $origin");
        header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
        header("Access-Control-Allow-Headers: Authorization, Content-Type");
        //header("Access-Control-Allow-Credentials: true"); // Include if needed
    }

    // Handle preflight requests
    if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
        // Return early with 204 No Content for preflight requests
        http_response_code(204);
        exit;
    }
    // Strict security headers
    header('Content-Type: application/json');
    header('X-Content-Type-Options: nosniff');
    header('X-Frame-Options: DENY');
    header('X-XSS-Protection: 1; mode=block');
    header('Content-Security-Policy: default-src \'none\'');
    header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
    header('Referrer-Policy: strict-origin-when-cross-origin');

    // Validate Content-Type
    if (!str_contains($_SERVER['CONTENT_TYPE'] ?? '', 'application/json')) {
        http_response_code(400);
        exit(json_encode(['error' => 'Invalid Content-Type']));
    }

    // Validate request size
    $maxRequestSize = 5 * 1024 * 1024; // 5MB in bytes
    if (isset($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxRequestSize) {
        http_response_code(413);
        exit(json_encode(['error' => 'Request too large']));
    }
}

//------------------------------------------
// Retrieve API version and Collection
// api.php/(v)ersion/{get/post}/collection/
//------------------------------------------   
$version = (isset($request[0])) ? strtolower($request[0]) : '';
$collection = (isset($request[1])) ? strtolower($request[1]) : '';
$get_content = (isset($request[2])) ? strtolower($request[2]) : '';

//------------------------------------------ 
// Initial authorization request - get TOKEN
//------------------------------------------ 
if ($collection == 'authorization'){
    $api_authorization = './api/'.$version.'/'.$collection.'.php'; //Get related file
    
    if (file_exists($api_authorization)){   
        include_once $api_authorization; //Include the code
    }
    else 
    {
        echo null;
    }

}
else {

//------------------------------------------
// Check Security token
//------------------------------------------   
$bearer_token = get_bearer_token();
$is_jwt_valid = is_jwt_valid($bearer_token);

//------------------------------------------
//IF security token is valid
//------------------------------------------  
if($is_jwt_valid && str_contains($version, 'v')) {
    
    //------------------------------------------
    // Get Userrights
    //------------------------------------------    
    $userkey = getUserKey($bearer_token); //Get key from Token
    $api_user_file = './api/'.$version.'/get/user_credentials.php'; //Get related file
  
    if (file_exists($api_user_file)){   
        include_once $api_user_file; //Include the code
    }
    else 
    {
        echo null;
    }
    //
    //------------------------------------------
    // Check for maintenance mode, exclude debug user
    //------------------------------------------   
    if(maintenance_mode == false|| debug_id == $user_data['id']){

        //------------------------------------------
        // Build up version and check if file is available
        //------------------------------------------   
        $api_file = './api/'.$version.'/get/'.$collection.'.php';
        $api_file_post = './api/'.$version.'/post/'.$collection.'.php';

        //------------------------------------------   
        //GET CLEAN LANGUAGE CODE
        //------------------------------------------   
        $language_code = ($user_data['language']) ? $user_data['language'] : 'US';
        $api_file_language = './settings/translations/translations_'.strtoupper($language_code).'.php';
        
        //------------------------------------------ 
        //INCLUDE LANGUAGE FILE
        //------------------------------------------ 
        if (file_exists($api_file_language)){   
            include_once $api_file_language; //Include the code
        }
        else {
            include_once './settings/translations/translations_US.php';
        }
    
        //------------------------------------------ 
        //CHECK IF USER IS ALLOWED TO CALL SPECIFIC API
        //------------------------------------------ 

            //------------------------------------------ 
            // First check if endPoint is fileUpload
            //------------------------------------------ 
            $fileUploadEndpoints = [
                'media_upload',
                'marketing_upload'
            ];

            $isFileUploadEndpoint = in_array($collection, $fileUploadEndpoints);
            $hasValidFileData = !empty($_FILES) && $_SERVER['REQUEST_METHOD'] ==='POST';

            if ($isFileUploadEndpoint && $hasValidFileData) {
                $input = $_POST;
            }

            //------------------------------------------ 
            // END check if endPoint is fileUpload
            //------------------------------------------ 
        
        debuglog("API call: collection=$collection, input_empty=" . (empty($input) ? 'true' : 'false') . ", file_exists=" . (file_exists($api_file) ? 'true' : 'false'));

        if (isAllowed($collection,$profile,$permission,'R') === 1 && empty($input) && file_exists($api_file)){
            
            include_once $api_file;
        }
        elseif (isAllowed($collection,$profile,$permission,'U') === 1 && !empty($input) && file_exists($api_file_post)){

            include_once $api_file_post;
        } 
        else
        {
            //------------------------------------------
            // User not allowed to perform operation
            //------------------------------------------ 
            http_response_code(403); //Forbidden
        }
    } 
    else
    {
        //------------------------------------------
        // Maintenance mode is activce -> service unavailable
        //------------------------------------------ 
        http_response_code(503); //Service Unavailable
    }

  
}
else 
{
    //------------------------------------------
    // JWT not VALID
    //------------------------------------------ 
    http_response_code(403); //Forbidden
}
}

//------------------------------------------
// Debuglog
//------------------------------------------
if (debug){
    $time_elapsed = microtime(true) - $_SERVER["REQUEST_TIME_FLOAT"];
    $message = $date.';'.$collection.';'.$time_elapsed.';'.$username;
    debuglog($message);
}

?>