musadaq-saas/app/modules_app/invoices/upload.php

<?php
/**
 * Invoice Upload Endpoint (Multi-Tenant & Role-Aware)
 */

use App\Core\Database;
use App\Middleware\AuthMiddleware;

// 1. Auth Check
$decoded = AuthMiddleware::check();
$tenantId = $decoded['tenant_id'];
$userId = $decoded['user_id'];

// --- QUOTA CHECK ---
\App\Middleware\QuotaMiddleware::checkInvoiceQuota($tenantId);
// -------------------

$db = Database::getInstance();

$allowedRoles = ['admin', 'accountant', 'employee'];
if (!in_array($decoded['role'], $allowedRoles)) {
    json_error('Unauthorized to upload invoices', 403);
}
// 2. Validate Request
$data = input();
$companyId = $data['company_id'] ?? null;

if (!$companyId || !isset($_FILES['invoice'])) {
    json_error('Company ID and invoice file are required', 422);
}

// 3. Permission Check
$tenantId = $decoded['tenant_id'];
$userId = $decoded['user_id'];

// Everyone (except Super Admin) must belong to the same tenant as the company
$stmt = $db->prepare("SELECT id FROM companies WHERE id = ? AND tenant_id = ? AND deleted_at IS NULL");
$stmt->execute([$companyId, $tenantId]);

if (!$stmt->fetch()) {
    json_error('Access denied to this company or invalid company ID', 403);
}

// 4. Handle File Upload (Step-by-step for permission safety)
$tenantDir = STORAGE_PATH . '/invoices/' . $tenantId;
$companyDir = $tenantDir . '/' . $companyId;
$dateFolder = date('Y-m-d');
$uploadDir = $companyDir . '/' . $dateFolder . '/';

foreach ([$tenantDir, $companyDir, $uploadDir] as $dir) {
    if (!is_dir($dir)) {
        if (!mkdir($dir, 0777, true)) {
            error_log("UPLOAD ERROR: Failed to create directory: " . $dir);
            json_error('فشل في إنشاء مجلد التخزين: ' . $dir, 500);
        }
        chmod($dir, 0777); // Force permissions
    }
}

$extension = pathinfo($_FILES['invoice']['name'], PATHINFO_EXTENSION);
$fileName = bin2hex(random_bytes(8)) . '_' . time() . '.' . $extension;
$targetFile = $uploadDir . $fileName;

if (move_uploaded_file($_FILES['invoice']['tmp_name'], $targetFile)) {
    // 5. Run AI Extraction
    $mimeType = $_FILES['invoice']['type'];
    $fileContent = file_get_contents($targetFile);
    if (!$fileContent) {
        error_log("UPLOAD ERROR: Failed to read file content: " . $targetFile);
        json_error('فشل في قراءة الملف المرفوع', 500);
    }
    $base64Data = base64_encode($fileContent);
    
    $extracted = \App\Core\AI::extractInvoiceData($base64Data, $mimeType);
    
    if (!$extracted) {
        // Still save basic record if AI fails
        $stmt = $db->prepare("INSERT INTO invoices (tenant_id, company_id, uploaded_by, original_file_path, status, created_at) VALUES (?, ?, ?, ?, 'uploaded', NOW())");
        $stmt->execute([$tenantId, $companyId, $userId, $targetFile]);
        json_success(['id' => $db->lastInsertId()], 'تم رفع الفاتورة ولكن فشل استخراج البيانات تلقائياً');
    }

    // 6. Save Extracted Data with Encryption
    try {
        $db->beginTransaction();

        $invoiceId = bin2hex(random_bytes(16)); // Generate UUID (simple version for now or use a lib)
        // Let's use a standard UUID format if possible, but MySQL CHAR(36) accepts anything.
        // Actually, let's just use the DB's UUID() function but FETCH it back or generate it here.
        // I'll use a better UUID generator logic.
        $invoiceId = vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex(random_bytes(16)), 4));

        $stmt = $db->prepare("
            INSERT INTO invoices (
                id, tenant_id, company_id, uploaded_by, original_file_path, status,
                invoice_number, invoice_date, invoice_type, invoice_category,
                supplier_tin, supplier_name, supplier_address,
                buyer_tin, buyer_name, buyer_national_id,
                subtotal, tax_amount, discount_total, grand_total, currency_code,
                created_at
            ) VALUES (
                :id, :tenant_id, :company_id, :uploaded_by, :path, 'extracted',
                :num, :date, :type, :cat, :s_tin, :s_name, :s_addr, :b_tin, :b_name, :b_nid,
                :sub, :tax, :disc, :total, :cur, NOW()
            )
        ");

        $stmt->execute([
            'id'         => $invoiceId,
            'tenant_id'  => $tenantId,
            'company_id' => $companyId,
            'uploaded_by'=> $userId,
            'path'       => $targetFile,
            'num'        => $extracted['invoice_number'] ?? null,
            'date'       => $extracted['invoice_date'] ?? null,
            'type'       => $extracted['invoice_type'] ?? 'cash',
            'cat'        => $extracted['invoice_category'] ?? 'simplified',
            's_tin'      => \App\Core\Encryption::encrypt($extracted['supplier']['tin'] ?? ''),
            's_name'     => \App\Core\Encryption::encrypt($extracted['supplier']['name'] ?? ''),
            's_addr'     => \App\Core\Encryption::encrypt($extracted['supplier']['address'] ?? ''),
            'b_tin'      => \App\Core\Encryption::encrypt($extracted['buyer']['tin'] ?? ''),
            'b_name'     => \App\Core\Encryption::encrypt($extracted['buyer']['name'] ?? ''),
            'b_nid'      => \App\Core\Encryption::encrypt($extracted['buyer']['national_id'] ?? ''),
            'sub'        => $extracted['subtotal'] ?? 0,
            'tax'        => $extracted['tax_amount'] ?? 0,
            'disc'       => $extracted['discount_total'] ?? 0,
            'total'      => $extracted['grand_total'] ?? 0,
            'cur'        => $extracted['currency_code'] ?? 'JOD'
        ]);

        // Save Line Items
        if (!empty($extracted['lines'])) {
            $lineStmt = $db->prepare("
                INSERT INTO invoice_lines (invoice_id, line_number, description, quantity, unit_price, tax_rate, line_total)
                VALUES (?, ?, ?, ?, ?, ?, ?)
            ");
            foreach ($extracted['lines'] as $item) {
                $lineStmt->execute([
                    $invoiceId,
                    $item['line_number'] ?? 1,
                    $item['description'] ?? 'N/A',
                    $item['quantity'] ?? 1,
                    $item['unit_price'] ?? 0,
                    $item['tax_rate'] ?? 0.16,
                    $item['line_total'] ?? 0
                ]);
            }
        }

        $db->commit();
        
        // --- INCREMENT QUOTA ---
        \App\Middleware\QuotaMiddleware::incrementInvoiceUsage($tenantId);
        // -----------------------
        
        json_success(['id' => $invoiceId], 'تم رفع الفاتورة واستخراج البيانات بنجاح');

    } catch (\Exception $e) {
        $db->rollBack();
        error_log("DB Error during invoice save: " . $e->getMessage());
        json_error('حدث خطأ أثناء حفظ بيانات الفاتورة', 500);
    }
} else {
    $uploadError = $_FILES['invoice']['error'] ?? 'Unknown';
    error_log("UPLOAD ERROR: move_uploaded_file failed. Error Code: $uploadError. Target: $targetFile. Tmp: " . ($_FILES['invoice']['tmp_name'] ?? 'N/A'));
    json_error('Failed to save uploaded file. PHP Error Code: ' . $uploadError, 500);
}