Update: 2026-05-04 17:29:56

app/modules_app/invoices/download_xml.php

@@ -0,0 +1,44 @@
+<?php
+/**
+ * Official JoFotara XML Download
+ */
+
+use App\Core\Database;
+use App\Middleware\AuthMiddleware;
+
+// 1. Auth Check
+$decoded = AuthMiddleware::check();
+$db = Database::getInstance();
+
+// 2. Validate Request
+$id = $_GET['id'] ?? null;
+if (!$id) json_error('Invoice ID is required', 422);
+
+$tenantId = $decoded['tenant_id'];
+
+try {
+    // 3. Fetch accepted submission for this invoice
+    $stmt = $db->prepare("
+        SELECT js.xml_payload, js.jofotara_uuid
+        FROM jofotara_submissions js
+        JOIN invoices i ON js.invoice_id = i.id
+        WHERE i.id = ? AND i.tenant_id = ? AND js.status = 'accepted'
+        ORDER BY js.created_at DESC LIMIT 1
+    ");
+    $stmt->execute([$id, $tenantId]);
+    $row = $stmt->fetch();
+
+    if (!$row || empty($row['xml_payload'])) {
+        json_error('لا يوجد XML رسمي متاح لهذه الفاتورة', 404);
+    }
+
+    // 4. Send headers for download
+    header('Content-Type: application/xml; charset=utf-8');
+    header('Content-Disposition: attachment; filename="invoice_' . ($row['jofotara_uuid'] ?: $id) . '.xml"');
+    echo $row['xml_payload'];
+    exit;
+
+} catch (\Exception $e) {
+    error_log("XML Download Error: " . $e->getMessage());
+    json_error('خطأ في تحميل الملف', 500);
+}

app/modules_app/invoices/view.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * View Invoice Details Endpoint (with Line Items)
+ * Invoice View Endpoint (Decrypted & JoFotara Aware)
  */
 
 use App\Core\Database;
@@ -11,32 +11,24 @@ use App\Middleware\AuthMiddleware;
 $decoded = AuthMiddleware::check();
 $db = Database::getInstance();
 
-$id = input('id');
-if (!$id) {
-    json_error('Invoice ID is required', 422);
-}
+// 2. Validate Request
+$id = $_GET['id'] ?? null;
+if (!$id) json_error('Invoice ID is required', 422);
+
+// 3. Permission Check (Multi-Tenant Isolation)
+$tenantId = $decoded['tenant_id'];
 
 try {
-    // 2. Fetch Invoice
     $stmt = $db->prepare("
-        SELECT i.*, c.name as company_name
+        SELECT i.*, c.name as company_name 
         FROM invoices i
-        LEFT JOIN companies c ON i.company_id = c.id
-        WHERE i.id = ?
+        JOIN companies c ON i.company_id = c.id
+        WHERE i.id = ? AND i.tenant_id = ?
     ");
-    $stmt->execute([$id]);
+    $stmt->execute([$id, $tenantId]);
     $invoice = $stmt->fetch();
 
-    if (!$invoice) {
-        json_error('Invoice not found', 404);
-    }
-
-    // 3. Authorization Check
-    if ($decoded['role'] !== 'super_admin') {
-        if ($invoice['tenant_id'] !== $decoded['tenant_id']) {
-            json_error('Unauthorized access to this invoice', 403);
-        }
-    }
+    if (!$invoice) json_error('Invoice not found or access denied', 404);
 
     // 4. Fetch Line Items
     $stmtLines = $db->prepare("SELECT * FROM invoice_lines WHERE invoice_id = ? ORDER BY line_number ASC");
@@ -57,13 +49,30 @@ try {
         $invoice['company_name'] = $decrypt($invoice['company_name']);
     }
 
-    // 6. Generate Public URL for File (Assuming storage is symlinked or served)
-    // For now, let's just return the relative path or a proxy route
-    // We'll add a proxy route later if needed.
-    $invoice['file_url'] = '/index.php?route=v1/invoices/file&id=' . $invoice['id'];
+    // 6. Fetch JoFotara Submission Data
+    $stmtSub = $db->prepare("
+        SELECT jofotara_uuid, submitted_at, qr_code_raw, status as submission_status, response_body
+        FROM jofotara_submissions
+        WHERE invoice_id = ? AND status = 'accepted'
+        ORDER BY created_at DESC LIMIT 1
+    ");
+    $stmtSub->execute([$id]);
+    $submission = $stmtSub->fetch();
+
+    $invoice['jofotara'] = $submission ? [
+        'uuid'         => $submission['jofotara_uuid'],
+        'submitted_at' => $submission['submitted_at'],
+        'qr_image_uri' => $submission['qr_code_raw'] ? 'data:image/png;base64,' . $submission['qr_code_raw'] : null,
+        'has_xml'      => true
+    ] : null;
+
+    // 7. Generate Public URL for File
+    $token = Encryption::encrypt($invoice['original_file_path']);
+    $invoice['file_url'] = '/index.php?route=v1/invoices/file&file_token=' . urlencode($token);
 
     json_success($invoice);
 
 } catch (\Exception $e) {
-    json_error('Error fetching invoice: ' . $e->getMessage(), 500);
+    error_log("Invoice View Error: " . $e->getMessage());
+    json_error('Server error during invoice retrieval', 500);
 }