<?php
header('Content-Type: application/json');

// Basic security check: ensure it's a POST request
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405); // Method Not Allowed
    echo json_encode(['success' => false, 'error' => 'Invalid request method.']);
    exit;
}

$input = file_get_contents('php://input');
$data = json_decode($input, true);

if (json_last_error() !== JSON_ERROR_NONE || !isset($data['apiKey']) || !isset($data['apiSecret'])) {
    http_response_code(400); // Bad Request
    echo json_encode(['success' => false, 'error' => 'Invalid JSON or missing credentials.']);
    exit;
}

$apiKey = $data['apiKey'];
$apiSecret = $data['apiSecret'];

// In a real application, you MUST encrypt this data.
// For this example, we'll store it in a JSON file in a protected directory.

$storageDir = __DIR__ . '/../.keys'; // Store outside of web root if possible, or protect with .htaccess
if (!is_dir($storageDir)) {
    if (!mkdir($storageDir, 0750, true)) {
        http_response_code(500); // Internal Server Error
        echo json_encode(['success' => false, 'error' => 'Failed to create storage directory.']);
        exit;
    }
}

// Add a .htaccess file to the directory to deny direct access
if (!file_exists($storageDir . '/.htaccess')) {
    file_put_contents($storageDir . '/.htaccess', 'deny from all');
}

$credentials = [
    'apiKey' => $apiKey,
    'apiSecret' => $apiSecret, // Again, ENCRYPT THIS in a real app
];

$filePath = $storageDir . '/credentials.json';

if (file_put_contents($filePath, json_encode($credentials, JSON_PRETTY_PRINT))) {
    chmod($filePath, 0640); // Set restrictive permissions
    echo json_encode(['success' => true]);
} else {
    http_response_code(500); // Internal Server Error
    echo json_encode(['success' => false, 'error' => 'Failed to save credentials.']);
}