<?php
// backend/config/db.php

header('Content-Type: application/json');

require_once __DIR__ . '/../vendor/autoload.php';

use Dotenv\Dotenv;

// Try to load .env from multiple possible locations
$envLoaded = false;
$searchPaths = [
    __DIR__ . '/../..',                          // jordan_bot/
    __DIR__ . '/../../..',                        // lawer.tripz-egypt.com/
    __DIR__ . '/../../../..',                     // htdocs/
    __DIR__ . '/../../../../..',                  // home directory
    posix_getpwuid(posix_getuid())['dir'] ?? '',  // PHP-detected home dir
];

foreach ($searchPaths as $path) {
    if (!empty($path) && file_exists($path . '/.env')) {
        try {
            $dotenv = Dotenv::createImmutable($path);
            $dotenv->load();
            $envLoaded = true;
            break;
        } catch (Exception $e) {
            // Try next path
        }
    }
}

if (!$envLoaded) {
    http_response_code(500);
    echo json_encode([
        'success' => false,
        'message' => '.env file not found. Searched paths: ' . implode(', ', array_filter($searchPaths))
    ]);
    exit;
}

// Security: API Key Validation
$expectedApiKey = $_ENV['API_KEY'] ?? 'JORDAN_BOT_SECRET_2026'; // Fallback if not in .env
$headers = getallheaders();
$providedKey = $headers['X-API-Key'] ?? ($headers['x-api-key'] ?? null);

if ($providedKey !== $expectedApiKey) {
    http_response_code(401);
    echo json_encode(['success' => false, 'message' => 'Unauthorized: Invalid or missing API Key']);
    exit;
}

// Extra Security: App Signature Fingerprint Validation (Optional)
$expectedAppSignature = $_ENV['APP_SIGNATURE_SHA256'] ?? null;
if (!empty($expectedAppSignature)) {
    $providedSignature = $headers['X-App-Signature'] ?? ($headers['x-app-signature'] ?? null);
    // Ignore case and compare
    if (strcasecmp($providedSignature, $expectedAppSignature) !== 0) {
        http_response_code(403);
        echo json_encode(['success' => false, 'message' => 'Forbidden: Invalid App Signature (Anti-Tamper)']);
        exit;
    }
}

$host = $_ENV['DB_HOST'] ?? 'localhost';
$dbname = $_ENV['DB_NAME'] ?? 'jordan_bot_db';
$username = $_ENV['DB_USER'] ?? 'root';
$password = $_ENV['DB_PASS'] ?? '';

try {
    $pdo = new PDO("mysql:host=$host;dbname=$dbname;charset=utf8", $username, $password);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $pdo->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
} catch (PDOException $e) {
    http_response_code(500);
    echo json_encode(['success' => false, 'message' => 'Database connection failed: ' . $e->getMessage()]);
    exit;
}
?>