<?php

declare(strict_types=1);
/* doc-project | pointages/api/livreurs.php | Expose une API JSON sécurisée pour consulter et gérer les livreurs par point de vente. | Expose: api_livreurs_respond | Dépend de: config.php, includes/driver_store.php, session PHP, base de données pos_ip_authorizations | Impacte: réponse HTTP JSON, autorisation de session/IP, gestion des livreurs | Tables: pos_ip_authorizations(ip_address, authorized_until) */

ob_start();

session_start();
date_default_timezone_set('Europe/Paris');

header('Content-Type: application/json; charset=utf-8');

function api_livreurs_respond(int $statusCode, array $payload): void
{
    if (ob_get_length() > 0) {
        ob_clean();
    }
    http_response_code($statusCode);
    echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
    exit;
}

try {
    require_once dirname(__DIR__) . '/config.php';
    require_once dirname(__DIR__) . '/includes/driver_store.php';

    $ipAddress = $_SERVER['REMOTE_ADDR'] ?? '';
    $isAuthorized = false;

    if (isset($_SESSION['authorized']) && $_SESSION['authorized'] === true) {
        $isAuthorized = true;
    } else {
        try {
            $stmt = $pdo->prepare('SELECT COUNT(*) FROM pos_ip_authorizations WHERE ip_address = :ip_address AND authorized_until > NOW()');
            $stmt->execute([':ip_address' => $ipAddress]);
            $count = (int)$stmt->fetchColumn();
            if ($count > 0) {
                $_SESSION['authorized'] = true;
                $isAuthorized = true;
            }
        } catch (PDOException $e) {
            api_livreurs_respond(500, ['ok' => false, 'error' => 'Erreur de base de données.']);
        }
    }

    if (!$isAuthorized) {
        api_livreurs_respond(403, ['ok' => false, 'error' => 'Accès refusé.']);
    }

    $method = strtoupper($_SERVER['REQUEST_METHOD'] ?? 'GET');
    $action = isset($_REQUEST['action']) ? trim((string)$_REQUEST['action']) : '';
    $pointVente = isset($_REQUEST['point_vente']) ? (string)$_REQUEST['point_vente'] : '';

    if ($method === 'GET') {
        $normalizedPointVente = driver_store_allowed_point_vente($pointVente);
        if ($normalizedPointVente === '') {
            api_livreurs_respond(422, ['ok' => false, 'error' => 'Point de vente invalide.']);
        }

        api_livreurs_respond(200, [
            'ok' => true,
            'data' => [
                'point_vente' => $normalizedPointVente,
                'drivers' => driver_store_list($normalizedPointVente),
            ],
        ]);
    }

    if ($method !== 'POST') {
        api_livreurs_respond(405, ['ok' => false, 'error' => 'Méthode non autorisée.']);
    }

    switch ($action) {
        case 'create':
            $result = driver_store_create(
                $pointVente,
                (string)($_POST['nom'] ?? ''),
                (string)($_POST['telephone'] ?? '')
            );
            break;

        case 'update':
            $result = driver_store_update(
                $pointVente,
                (string)($_POST['original_phone'] ?? ''),
                (string)($_POST['nom'] ?? ''),
                (string)($_POST['telephone'] ?? '')
            );
            break;

        case 'delete':
            $result = driver_store_delete(
                $pointVente,
                (string)($_POST['telephone'] ?? '')
            );
            break;

        default:
            api_livreurs_respond(422, ['ok' => false, 'error' => 'Action invalide.']);
    }

    api_livreurs_respond($result['ok'] ? 200 : 422, $result);
} catch (Throwable $e) {
    api_livreurs_respond(500, [
        'ok' => false,
        'error' => 'Erreur interne lors du traitement des livreurs.',
    ]);
}