<?php
// ============================================================
// upload_audio.php — رفع ملفات صوتية بشكل آمن
// ============================================================

require_once __DIR__ . '/connect.php';

header('Content-Type: application/json; charset=UTF-8');

try {
    // ✅ FIX C-03: إضافة Rate Limiting
    $limiter = new RateLimiter($redis);
    $limiter->enforce(RateLimiter::identifier(), 'upload');

    // Get the audio file from the request
    if (!isset($_FILES['audio']) || $_FILES['audio']['error'] !== UPLOAD_ERR_OK) {
        uploadLog("File upload error code: " . ($_FILES['audio']['error'] ?? 'NO_FILE'), 'ERROR');
        echo json_encode(array('status' => 'The audio file was not uploaded successfully.'));
        exit;
    }

    $audio_file = $_FILES['audio'];

    // Validate MIME type using finfo
    $finfo = new finfo(FILEINFO_MIME_TYPE);
    $mime_type = $finfo->file($audio_file['tmp_name']);

    $allowed_mime_types = ['audio/mp4', 'audio/mpeg', 'audio/wav', 'audio/x-m4a', 'audio/ogg', 'audio/webm'];
    if (!in_array($mime_type, $allowed_mime_types, true)) {
        uploadLog("Invalid MIME type: $mime_type", 'WARNING', ['ip' => $_SERVER['REMOTE_ADDR'] ?? 'unknown']);
        echo json_encode(array('status' => 'The audio file is not a valid format (MIME mismatch).'));
        exit;
    }

    // Get extension from MIME type (safe)
    $ext = match ($mime_type) {
        'audio/mp4', 'audio/x-m4a' => 'm4a',
        'audio/mpeg' => 'mp3',
        'audio/wav' => 'wav',
        'audio/ogg' => 'ogg',
        'audio/webm' => 'webm',
        default => 'bin',
    };

    // ✅ Generate secure random filename to prevent path traversal and overwrite
    $new_filename = bin2hex(random_bytes(16)) . '.' . $ext;

    // Move the audio file to the uploads directory
    $target_dir = __DIR__ . "/upload_audio/";
    if (!is_dir($target_dir)) {
        mkdir($target_dir, 0750, true);
    }
    $target_file = $target_dir . $new_filename;

    if (!move_uploaded_file($audio_file['tmp_name'], $target_file)) {
        uploadLog("Failed to move file", 'ERROR', ['error' => print_r($audio_file, true)]);
        echo json_encode(array('status' => 'Failed to move the audio file.'));
        exit;
    }

    // Construct the link (domain from env, not from Host header)
    $appDomain = getenv('APP_DOMAIN') ?: 'api.siromove.com';
    $linkAudio = "https://$appDomain/siro/upload_audio/" . $new_filename;

    uploadLog("Audio uploaded successfully: $linkAudio", 'INFO');
    echo json_encode(array('status' => 'Audio file uploaded successfully.', 'link' => $linkAudio));

} catch (Exception $e) {
    error_log("[upload_audio] Error: " . $e->getMessage());
    echo json_encode(array('status' => 'Server error.'));
}
?>