musadaq-saas/app/modules_app/invoices/upload.php

<?php
/**
 * Invoice Upload Endpoint (Multi-Tenant & Role-Aware)
 */

use App\Core\Database;
use App\Middleware\AuthMiddleware;

// 1. Auth Check
$decoded = AuthMiddleware::check();
$db = Database::getInstance();

$allowedRoles = ['admin', 'accountant', 'employee'];
if (!in_array($decoded['role'], $allowedRoles)) {
    json_error('Unauthorized to upload invoices', 403);
}
// 2. Validate Request
$data = input();
$companyId = $data['company_id'] ?? null;

if (!$companyId || !isset($_FILES['invoice'])) {
    json_error('Company ID and invoice file are required', 422);
}

// 3. Permission Check
$tenantId = $decoded['tenant_id'];
$userId = $decoded['user_id'];

// Everyone (except Super Admin who shouldn't upload here) must belong to the tenant
// And if they are NOT an admin, they must be assigned to this company
if ($decoded['role'] !== 'admin' && $decoded['role'] !== 'super_admin') {
    $stmt = $db->prepare("SELECT id FROM user_company_assignments WHERE user_id = ? AND company_id = ? AND is_active = 1");
    $stmt->execute([$userId, $companyId]);
    if (!$stmt->fetch()) {
        json_error('Access denied to this company', 403);
    }
}

// 4. Handle File Upload
$dateFolder = date('Y-m-d');
$uploadDir = STORAGE_PATH . '/invoices/' . $tenantId . '/' . $companyId . '/' . $dateFolder . '/';
if (!is_dir($uploadDir)) mkdir($uploadDir, 0775, true);

$extension = pathinfo($_FILES['invoice']['name'], PATHINFO_EXTENSION);
$fileName = bin2hex(random_bytes(8)) . '_' . time() . '.' . $extension;
$targetFile = $uploadDir . $fileName;

if (move_uploaded_file($_FILES['invoice']['tmp_name'], $targetFile)) {
    
    // 5. Run AI Extraction
    $mimeType = $_FILES['invoice']['type'];
    $base64Data = base64_encode(file_get_contents($targetFile));
    
    $extracted = \App\Core\AI::extractInvoiceData($base64Data, $mimeType);
    
    if (!$extracted) {
        // Still save basic record if AI fails
        $stmt = $db->prepare("INSERT INTO invoices (tenant_id, company_id, uploaded_by, original_file_path, status, created_at) VALUES (?, ?, ?, ?, 'uploaded', NOW())");
        $stmt->execute([$tenantId, $companyId, $userId, $targetFile]);
        json_success(['id' => $db->lastInsertId()], 'تم رفع الفاتورة ولكن فشل استخراج البيانات تلقائياً');
    }

    // 6. Save Extracted Data with Encryption
    try {
        $db->beginTransaction();

        $stmt = $db->prepare("
            INSERT INTO invoices (
                tenant_id, company_id, uploaded_by, original_file_path, status,
                invoice_number, invoice_date, invoice_type, invoice_category,
                supplier_tin, supplier_name, supplier_address,
                buyer_tin, buyer_name, buyer_national_id,
                subtotal, tax_amount, discount_total, grand_total, currency_code,
                created_at
            ) VALUES (?, ?, ?, ?, 'extracted', ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW())
        ");

        $stmt->execute([
            $tenantId, $companyId, $userId, $targetFile,
            $extracted['invoice_number'] ?? null,
            $extracted['invoice_date'] ?? null,
            $extracted['invoice_type'] ?? 'cash',
            $extracted['invoice_category'] ?? 'simplified',
            // Encrypt sensitive details
            \App\Core\Encryption::encrypt($extracted['supplier_tin'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['supplier_name'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['supplier_address'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['buyer_tin'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['buyer_name'] ?? ''),
            \App\Core\Encryption::encrypt($extracted['buyer_national_id'] ?? ''),
            $extracted['subtotal'] ?? 0,
            $extracted['tax_amount'] ?? 0,
            $extracted['discount_total'] ?? 0,
            $extracted['grand_total'] ?? 0,
            $extracted['currency'] ?? 'JOD'
        ]);

        $invoiceId = $db->lastInsertId();

        // Save Line Items (No encryption for lines for now, usually not sensitive but can be)
        if (!empty($extracted['items'])) {
            $lineStmt = $db->prepare("
                INSERT INTO invoice_lines (invoice_id, description, quantity, unit_price, tax_amount, total)
                VALUES (?, ?, ?, ?, ?, ?)
            ");
            foreach ($extracted['items'] as $item) {
                $lineStmt->execute([
                    $invoiceId,
                    $item['description'] ?? 'N/A',
                    $item['quantity'] ?? 1,
                    $item['unit_price'] ?? 0,
                    $item['tax_amount'] ?? 0,
                    $item['total'] ?? 0
                ]);
            }
        }

        $db->commit();
        json_success(['id' => $invoiceId], 'تم رفع الفاتورة واستخراج البيانات بنجاح');

    } catch (\Exception $e) {
        $db->rollBack();
        error_log("DB Error during invoice save: " . $e->getMessage());
        json_error('حدث خطأ أثناء حفظ بيانات الفاتورة', 500);
    }
} else {
    json_error('Failed to save uploaded file', 500);
}