'Order ID not specified']); exit; } try { $pdo = db(); $query = 'SELECT ' . 'o.status, o.delivery_address, o.driver_lat, o.driver_lng, ' . 'r.name as restaurant_name, r.lat as restaurant_lat, r.lng as restaurant_lng ' . 'FROM orders o ' . 'JOIN restaurants r ON o.restaurant_id = r.id ' . 'WHERE o.id = ?'; $params = [$order_id]; if ($user_id) { $query .= ' AND o.user_id = ?'; $params[] = $user_id; } elseif ($token) { $query .= ' AND o.guest_token = ?'; $params[] = $token; } else { http_response_code(403); echo json_encode(['error' => 'Permission denied']); exit; } $stmt = $pdo->prepare($query); $stmt->execute($params); $order = $stmt->fetch(PDO::FETCH_ASSOC); if ($order) { // For privacy, we won't return the user's exact address lat/lng. // The frontend will have to geocode the delivery address. // We will add a Google Maps API key for this in a later step. echo json_encode([ 'status' => ucwords($order['status']), 'delivery_address' => $order['delivery_address'], 'driver_location' => [ 'lat' => $order['driver_lat'], 'lng' => $order['driver_lng'] ], 'restaurant_location' => [ 'name' => $order['restaurant_name'], 'lat' => $order['restaurant_lat'], 'lng' => $order['restaurant_lng'] ] ]); } else { http_response_code(404); echo json_encode(['error' => 'Order not found or permission denied']); } } catch (PDOException $e) { http_response_code(500); echo json_encode(['error' => 'Database error: ' . $e->getMessage()]); }