<?php
/**
 * Secure Backup Download API
 * 
 * Only accessible by authenticated administrators.
 */

session_start();

// Authentication and role-based access control
if (!isset($_SESSION['user_id']) || !isset($_SESSION['role']) || $_SESSION['role'] !== 'admin') {
    http_response_code(403);
    echo json_encode(['error' => 'Forbidden: Only administrators can access this resource.']);
    exit;
}

// Input validation
if (!isset($_GET['filename'])) {
    http_response_code(400);
    echo json_encode(['error' => 'Bad Request: Filename is required.']);
    exit;
}

$filename = basename($_GET['filename']); // Prevent directory traversal
$backups_dir = realpath(__DIR__ . '/../backups');
$filepath = "{$backups_dir}/{$filename}";

// Security check: ensure the file exists and is within the backups directory
if (!$backups_dir || !file_exists($filepath) || strpos(realpath($filepath), $backups_dir) !== 0) {
    http_response_code(404);
    echo json_encode(['error' => 'Not Found: Backup file not found or access denied.']);
    exit;
}

// Determine content type
header('Content-Description: File Transfer');
header('Content-Type: application/sql');
header('Content-Disposition: attachment; filename="' . $filename . '"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));

// Stream the file for download
readfile($filepath);
exit;