<?php
require_once __DIR__ . '/../db/config.php';

header('Content-Type: application/json');

function sendJsonResponse($data, $statusCode = 200) {
    http_response_code($statusCode);
    echo json_encode($data);
    exit();
}

// Basic API Key check (for demonstration purposes)
// In a real application, use a more robust authentication mechanism (e.g., OAuth2, JWT)
function checkApiKey() {
    $headers = getallheaders();
    $apiKey = $headers['X-Api-Key'] ?? '';

    // Replace 'YOUR_SECRET_API_KEY' with a strong, secret API key
    // This should ideally be stored in an environment variable or secure configuration
    if ($apiKey !== 'YOUR_SECRET_API_KEY') {
        sendJsonResponse(['error' => 'Unauthorized', 'message' => 'Invalid API Key.'], 401);
    }
}

checkApiKey();

$pdo = db();
$method = $_SERVER['REQUEST_METHOD'];

switch ($method) {
    case 'GET':
        if (isset($_GET['id'])) {
            // Get single company
            $id = $_GET['id'];
            try {
                $stmt = $pdo->prepare("SELECT * FROM companies WHERE id = :id");
                $stmt->execute(['id' => $id]);
                $company = $stmt->fetch();
                if ($company) {
                    sendJsonResponse($company);
                } else {
                    sendJsonResponse(['error' => 'Not Found', 'message' => 'Company not found.'], 404);
                }
            } catch (PDOException $e) {
                sendJsonResponse(['error' => 'Database Error', 'message' => $e->getMessage()], 500);
            }
        } else {
            // Get all companies
            try {
                $stmt = $pdo->query("SELECT * FROM companies ORDER BY name");
                $companies = $stmt->fetchAll();
                sendJsonResponse($companies);
            } catch (PDOException $e) {
                sendJsonResponse(['error' => 'Database Error', 'message' => $e->getMessage()], 500);
            }
        }
        break;

    case 'POST':
        $data = json_decode(file_get_contents('php://input'), true);
        if (!$data || empty($data['name'])) {
            sendJsonResponse(['error' => 'Bad Request', 'message' => 'Company name is required.'], 400);
        }

        $name = $data['name'];
        $email = $data['email'] ?? null;
        $phone = $data['phone'] ?? null;
        $address = $data['address'] ?? null;

        try {
            $stmt = $pdo->prepare("INSERT INTO companies (name, email, phone, address) VALUES (:name, :email, :phone, :address)");
            $stmt->execute([
                'name' => $name,
                'email' => $email,
                'phone' => $phone,
                'address' => $address
            ]);
            sendJsonResponse(['message' => 'Company created successfully', 'id' => $pdo->lastInsertId()], 201);
        } catch (PDOException $e) {
            sendJsonResponse(['error' => 'Database Error', 'message' => $e->getMessage()], 500);
        }
        break;

    case 'PUT':
        $data = json_decode(file_get_contents('php://input'), true);
        if (!isset($_GET['id'])) {
            sendJsonResponse(['error' => 'Bad Request', 'message' => 'Company ID is required for update.'], 400);
        }
        if (!$data || empty($data['name'])) {
            sendJsonResponse(['error' => 'Bad Request', 'message' => 'Company name is required.'], 400);
        }

        $id = $_GET['id'];
        $name = $data['name'];
        $email = $data['email'] ?? null;
        $phone = $data['phone'] ?? null;
        $address = $data['address'] ?? null;

        try {
            $stmt = $pdo->prepare("UPDATE companies SET name = :name, email = :email, phone = :phone, address = :address WHERE id = :id");
            $stmt->execute([
                'name' => $name,
                'email' => $email,
                'phone' => $phone,
                'address' => $address,
                'id' => $id
            ]);
            if ($stmt->rowCount() > 0) {
                sendJsonResponse(['message' => 'Company updated successfully.']);
            } else {
                sendJsonResponse(['error' => 'Not Found', 'message' => 'Company not found or no changes made.'], 404);
            }
        } catch (PDOException $e) {
            sendJsonResponse(['error' => 'Database Error', 'message' => $e->getMessage()], 500);
        }
        break;

    case 'DELETE':
        if (!isset($_GET['id'])) {
            sendJsonResponse(['error' => 'Bad Request', 'message' => 'Company ID is required for deletion.'], 400);
        }
        $id = $_GET['id'];

        try {
            $stmt = $pdo->prepare("DELETE FROM companies WHERE id = :id");
            $stmt->execute(['id' => $id]);
            if ($stmt->rowCount() > 0) {
                sendJsonResponse(['message' => 'Company deleted successfully.']);
            } else {
                sendJsonResponse(['error' => 'Not Found', 'message' => 'Company not found.'], 404);
            }
        } catch (PDOException $e) {
            sendJsonResponse(['error' => 'Database Error', 'message' => $e->getMessage()], 500);
        }
        break;

    default:
        sendJsonResponse(['error' => 'Method Not Allowed', 'message' => '' . $method . ' method is not supported.'], 405);
        break;
}