<?php
/**
 * Invoice Upload Endpoint (Multi-Tenant & Role-Aware)
 */

use App\Core\Database;
use App\Middleware\AuthMiddleware;

// 1. Auth Check
$decoded = AuthMiddleware::check();
$db = Database::getInstance();

$allowedRoles = ['admin', 'accountant', 'employee'];
if (!in_array($decoded['role'], $allowedRoles)) {
    json_error('Unauthorized to upload invoices', 403);
}
// 2. Validate Request
$data = input();
$companyId = $data['company_id'] ?? null;

if (!$companyId || !isset($_FILES['invoice'])) {
    json_error('Company ID and invoice file are required', 422);
}

// 3. Permission Check
$tenantId = $decoded['tenant_id'];
$userId = $decoded['user_id'];

// Everyone (except Super Admin) must belong to the same tenant as the company
$stmt = $db->prepare("SELECT id FROM companies WHERE id = ? AND tenant_id = ? AND deleted_at IS NULL");
$stmt->execute([$companyId, $tenantId]);

if (!$stmt->fetch()) {
    json_error('Access denied to this company or invalid company ID', 403);
}

// 4. Handle File Upload (Step-by-step for permission safety)
$tenantDir = STORAGE_PATH . '/invoices/' . $tenantId;
$companyDir = $tenantDir . '/' . $companyId;
$dateFolder = date('Y-m-d');
$uploadDir = $companyDir . '/' . $dateFolder . '/';

foreach ([$tenantDir, $companyDir, $uploadDir] as $dir) {
    if (!is_dir($dir)) {
        if (!mkdir($dir, 0777, true)) {
            error_log("UPLOAD ERROR: Failed to create directory: " . $dir);
            json_error('فشل في إنشاء مجلد التخزين: ' . $dir, 500);
        }
        chmod($dir, 0777); // Force permissions
    }
}

$extension = pathinfo($_FILES['invoice']['name'], PATHINFO_EXTENSION);
$fileName = bin2hex(random_bytes(8)) . '_' . time() . '.' . $extension;
$targetFile = $uploadDir . $fileName;

if (move_uploaded_file($_FILES['invoice']['tmp_name'], $targetFile)) {
    // 5. Run AI Extraction
    $mimeType = $_FILES['invoice']['type'];
    $fileContent = file_get_contents($targetFile);
    if (!$fileContent) {
        error_log("UPLOAD ERROR: Failed to read file content: " . $targetFile);
        json_error('فشل في قراءة الملف المرفوع', 500);
    }
    $base64Data = base64_encode($fileContent);
    
    $extracted = \App\Core\AI::extractInvoiceData($base64Data, $mimeType);
    
    if (!$extracted) {
        // Still save basic record if AI fails
        $stmt = $db->prepare("INSERT INTO invoices (tenant_id, company_id, uploaded_by, original_file_path, status, created_at) VALUES (?, ?, ?, ?, 'uploaded', NOW())");
        $stmt->execute([$tenantId, $companyId, $userId, $targetFile]);
        json_success(['id' => $db->lastInsertId()], 'تم رفع الفاتورة ولكن فشل استخراج البيانات تلقائياً');
    }

    // 6. Save Extracted Data with Encryption
    try {
        $db->beginTransaction();

        $stmt = $db->prepare("
            INSERT INTO invoices (
                tenant_id, company_id, uploaded_by, original_file_path, status,
                invoice_number, invoice_date, invoice_type, invoice_category,
                supplier_tin, supplier_name, supplier_address,
                buyer_tin, buyer_name, buyer_national_id,
                subtotal, tax_amount, discount_total, grand_total, currency_code,
                created_at
            ) VALUES (?, ?, ?, ?, 'extracted', ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())
        ");

        $stmt->execute([
            $tenantId, $companyId, $userId, $targetFile,
            $extracted['invoice_number'] ?? null,
            $extracted['invoice_date'] ?? null,
            $extracted['invoice_type'] ?? 'cash',
            $extracted['invoice_category'] ?? 'simplified',
            // Encrypt sensitive details
            \App\Core\Encryption::encrypt($extracted['supplier_tin'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['supplier_name'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['supplier_address'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['buyer_tin'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['buyer_name'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['buyer_national_id'] ?? ''),
            $extracted['subtotal'] ?? 0,
            $extracted['tax_amount'] ?? 0,
            $extracted['discount_total'] ?? 0,
            $extracted['grand_total'] ?? 0,
            $extracted['currency'] ?? 'JOD'
        ]);

        $invoiceId = $db->lastInsertId();

        // Save Line Items (No encryption for lines for now, usually not sensitive but can be)
        if (!empty($extracted['items'])) {
            $lineStmt = $db->prepare("
                INSERT INTO invoice_lines (invoice_id, description, quantity, unit_price, tax_amount, total)
                VALUES (?, ?, ?, ?, ?, ?)
            ");
            foreach ($extracted['items'] as $item) {
                $lineStmt->execute([
                    $invoiceId,
                    $item['description'] ?? 'N/A',
                    $item['quantity'] ?? 1,
                    $item['unit_price'] ?? 0,
                    $item['tax_amount'] ?? 0,
                    $item['total'] ?? 0
                ]);
            }
        }

        $db->commit();
        json_success(['id' => $invoiceId], 'تم رفع الفاتورة واستخراج البيانات بنجاح');

    } catch (\Exception $e) {
        $db->rollBack();
        error_log("DB Error during invoice save: " . $e->getMessage());
        json_error('حدث خطأ أثناء حفظ بيانات الفاتورة', 500);
    }
} else {
    $uploadError = $_FILES['invoice']['error'] ?? 'Unknown';
    error_log("UPLOAD ERROR: move_uploaded_file failed. Error Code: $uploadError. Target: $targetFile. Tmp: " . ($_FILES['invoice']['tmp_name'] ?? 'N/A'));
    json_error('Failed to save uploaded file. PHP Error Code: ' . $uploadError, 500);
}