<?php
/**
 * Secure File Proxy for Invoices
 */

use App\Core\Database;
use App\Middleware\AuthMiddleware;

// Extract token from header OR query string
$headers = getallheaders();
$authHeader = $headers['Authorization'] ?? $headers['authorization'] ?? '';
$token = '';

if (preg_match('/Bearer\s(\S+)/', $authHeader, $matches)) {
    $token = $matches[1];
} elseif (isset($_GET['token'])) {
    $token = $_GET['token'];
}

if (!$token) die('Forbidden: No token provided');

$decoded = \App\Core\JWT::decode($token);
if (!$decoded) die('Forbidden: Invalid token');

$db = Database::getInstance();

$id = input('id');
if (!$id) die('Forbidden');

$stmt = $db->prepare("SELECT tenant_id, original_file_path FROM invoices WHERE id = ?");
$stmt->execute([$id]);
$invoice = $stmt->fetch();

if (!$invoice) die('Not found');

// Authorization
if ($decoded['role'] !== 'super_admin' && $invoice['tenant_id'] !== $decoded['tenant_id']) {
    die('Unauthorized');
}

$filePath = $invoice['original_file_path'];

if (!file_exists($filePath)) {
    error_log("FILE PROXY ERROR: File not found at " . $filePath);
    header("HTTP/1.0 404 Not Found");
    exit('File missing');
}

if (!is_readable($filePath)) {
    error_log("FILE PROXY ERROR: File not readable at " . $filePath);
    header("HTTP/1.0 403 Forbidden");
    exit('Permission denied');
}

$mime = mime_content_type($filePath);
header("Content-Type: $mime");
header("Content-Length: " . filesize($filePath));
header("Cache-Control: public, max-age=3600"); // Add caching for speed
readfile($filePath);
exit;