<?php
session_start();
require_once 'db/config.php';
require_once 'includes/api_keys.php';

header('Content-Type: application/json');

if (!isset($_SESSION['user_id']) || !isset($_POST['orderID'])) {
    echo json_encode(['error' => 'Invalid request.']);
    exit();
}

$orderID = $_POST['orderID'];
$user_id = $_SESSION['user_id'];

// Helper function to get PayPal access token
function get_paypal_access_token($clientId, $secret, $apiBase) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "$apiBase/v1/oauth2/token");
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_USERPWD, "$clientId:$secret");
    curl_setopt($ch, CURLOPT_POSTFIELDS, "grant_type=client_credentials");
    $result = curl_exec($ch);
    curl_close($ch);
    
    if (empty($result)) return null;
    
    $json = json_decode($result);
    return $json->access_token ?? null;
}

$accessToken = get_paypal_access_token($paypalClientId, $paypalSecret, $paypalApiBase);

if (!$accessToken) {
    echo json_encode(['error' => 'Could not authenticate with PayPal.']);
    exit();
}

// Capture payment
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$paypalApiBase/v2/checkout/orders/$orderID/capture");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "Content-Type: application/json",
    "Authorization: Bearer $accessToken"
]);

$result = curl_exec($ch);
curl_close($ch);
$details = json_decode($result);

if (isset($details->status) && $details->status == 'COMPLETED') {
    $pdo = db();
    
    // Fetch cart items
    $stmt = $pdo->prepare("SELECT c.*, mi.price, mi.restaurant_id FROM cart c JOIN menu_items mi ON c.menu_item_id = mi.id WHERE c.user_id = ?");
    $stmt->execute([$user_id]);
    $cart_items = $stmt->fetchAll();

    if (empty($cart_items)) {
        echo json_encode(['error' => 'Your cart is empty.']);
        exit();
    }

    $total_price = 0;
    $restaurant_id = null;
    foreach ($cart_items as $item) {
        $total_price += $item['price'] * $item['quantity'];
        $restaurant_id = $item['restaurant_id'];
    }
    $delivery_fee = 5.00;
    $total_price += $delivery_fee;

    $delivery_name = $_POST['name'];
    $delivery_address = $_POST['address'];
    $delivery_phone = $_POST['phone'];

    // Create order
    $stmt = $pdo->prepare("INSERT INTO orders (user_id, restaurant_id, total_price, status, stripe_session_id, delivery_name, delivery_address, delivery_phone) VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
    $stmt->execute([$user_id, $restaurant_id, $total_price, 'paid', $orderID, $delivery_name, $delivery_address, $delivery_phone]);
    $order_id = $pdo->lastInsertId();

    // Insert order items
    $stmt = $pdo->prepare("INSERT INTO order_items (order_id, menu_item_id, quantity, price) VALUES (?, ?, ?, ?)");
    foreach ($cart_items as $item) {
        $stmt->execute([$order_id, $item['menu_item_id'], $item['quantity'], $item['price']]);
    }

    // Clear cart
    $stmt = $pdo->prepare("DELETE FROM cart WHERE user_id = ?");
    $stmt->execute([$user_id]);

    $_SESSION['order_id'] = $order_id;
    echo json_encode(['success' => true]);

} else {
    error_log('PayPal Capture Failed: ' . print_r($details, true));
    echo json_encode(['error' => 'Payment failed. Please try again.']);
}