<?php
/**
 * POST /api/sms-done
 *
 * Called by Caller Android App after sending an SMS OTP.
 *
 * Request body:
 *   {
 *     "task_id": 43,
 *     "device_id": "DEVICE_XXX",
 *     "app_key": "SECRET_DEVICE_KEY",
 *     "result": "success" | "failed"
 *   }
 */

header('Content-Type: application/json; charset=utf-8');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, X-App-Key');

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(204);
    exit;
}

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    echo json_encode(['success' => false, 'message' => 'method_not_allowed']);
    exit;
}

require_once __DIR__ . '/../includes/Database.php';
require_once __DIR__ . '/../includes/Auth.php';
require_once __DIR__ . '/../includes/Logger.php';

// Authenticate — requires device key
Auth::requireAuth('device');

$input = json_decode(file_get_contents('php://input'), true);

if (!$input || !isset($input['task_id']) || !isset($input['device_id']) || !isset($input['result'])) {
    http_response_code(400);
    echo json_encode(['success' => false, 'message' => 'missing_required_fields']);
    RequestLogger::log('sms-done', 'POST', $input, 400, 'missing_fields');
    exit;
}

$taskId = (int) $input['task_id'];
$deviceId = trim($input['device_id']);
$result = trim($input['result']);

// Validate result
$validResults = ['success', 'failed'];
if (!in_array($result, $validResults, true)) {
    http_response_code(400);
    echo json_encode(['success' => false, 'message' => 'invalid_result_value']);
    RequestLogger::log('sms-done', 'POST', $input, 400, 'invalid_result');
    exit;
}

$db = Database::getInstance();

try {
    // Verify this task belongs to this device
    $stmt = $db->prepare(
        "SELECT id, status, method FROM otp_requests WHERE id = ? AND device_id = ?"
    );
    $stmt->execute([$taskId, $deviceId]);
    $task = $stmt->fetch();

    if (!$task) {
        http_response_code(404);
        echo json_encode(['success' => false, 'message' => 'task_not_found']);
        RequestLogger::log('sms-done', 'POST', $input, 404, 'task_not_found');
        exit;
    }

    if ($task['status'] !== 'calling') {
        http_response_code(409);
        echo json_encode(['success' => false, 'message' => 'task_not_in_calling_state']);
        RequestLogger::log('sms-done', 'POST', $input, 409, 'wrong_status');
        exit;
    }

    $newStatus = ($result === 'success') ? 'completed' : 'failed';

    $db->beginTransaction();

    // Update OTP request status
    $stmt = $db->prepare(
        "UPDATE otp_requests
         SET status = ?, updated_at = NOW()
         WHERE id = ? AND device_id = ?"
    );
    $stmt->execute([$newStatus, $taskId, $deviceId]);

    // Increment calls_today (counts both calls and SMS)
    $stmt = $db->prepare(
        "UPDATE caller_devices
         SET calls_today = calls_today + 1
         WHERE device_id = ?"
    );
    $stmt->execute([$deviceId]);

    $db->commit();

    echo json_encode([
        'success' => true,
        'status'  => $newStatus,
    ]);

    RequestLogger::log('sms-done', 'POST', $input, 200);

} catch (\Throwable $e) {
    $db->rollBack();
    error_log('sms-done error: ' . $e->getMessage());
    http_response_code(500);
    echo json_encode(['success' => false, 'message' => 'internal_error']);
    RequestLogger::log('sms-done', 'POST', $input, 500, $e->getMessage());
}