<?php
declare(strict_types=1);
require_once __DIR__ . '/../src/Calco2ApiClient.php';

// --- Basic CORS (adjust origin to your site/domain) ---
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
$allowedOrigin = preg_match('#^https://(www\.)?your-frontend\.example$#', $origin) ? $origin : '';
if ($allowedOrigin) {
    header('Access-Control-Allow-Origin: ' . $allowedOrigin);
    header('Vary: Origin');
    header('Access-Control-Allow-Credentials: true');
}
header('Access-Control-Allow-Headers: Content-Type');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');

// Handle preflight
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(204);
    exit;
}

// --- Rate limit (very simple, per IP). Replace with Redis if needed. ---
session_start();
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
$bucket = $_SESSION['ratelimit'][$ip] ?? ['count' => 0, 'start' => time()];
if (time() - $bucket['start'] > 60) { // 60-second window
    $bucket = ['count' => 0, 'start' => time()];
}
$bucket['count']++;
$_SESSION['ratelimit'][$ip] = $bucket;
if ($bucket['count'] > 120) { // 120 requests/min/IP
    http_response_code(429);
    header('Content-Type: application/json');
    echo json_encode(['error' => 'Too Many Requests']);
    exit;
}

// --- Instantiate API client ---
$base = getenv('CALCO2_API_BASE') ?: 'https://api.calco2la.to';
$key  = getenv('CALCO2_API_KEY') ?: '';
if (!$key) {
    http_response_code(500);
    header('Content-Type: application/json');
    echo json_encode(['error' => 'Server misconfiguration: missing API key']);
    exit;
}
$client = new Calco2ApiClient($base, $key);

// --- Whitelist router ---
$input = json_decode(file_get_contents('php://input') ?: '[]', true) ?: [];
$endpoint = $_GET['endpoint'] ?? $input['endpoint'] ?? '';
$method   = $_SERVER['REQUEST_METHOD'];

header('Content-Type: application/json; charset=utf-8');

try {
    switch ($endpoint) {
        case 'airports.search':
            // GET /?endpoint=airports.search&q=FRA&limit=10
            $q     = $_GET['q'] ?? '';
            $limit = isset($_GET['limit']) ? (int)$_GET['limit'] : 20;
            $offset= isset($_GET['offset']) ? (int)$_GET['offset'] : 0;
            $data  = $client->searchAirports($q, $limit, $offset);
            echo json_encode($data);
            break;

        case 'airports.get':
            // GET /?endpoint=airports.get&code=FRA
            $code = $_GET['code'] ?? '';
            if ($code === '') throw new InvalidArgumentException('Missing airport code');
            $data = $client->getAirport($code);
            echo json_encode($data);
            break;

        case 'flights.estimate':
            // POST with JSON body: { endpoint: "flights.estimate", params: {...} }
            if ($method !== 'POST') throw new RuntimeException('Use POST');
            $params = $input['params'] ?? [];
            $data = $client->flightEstimate($params);
            echo json_encode($data);
            break;

        case 'flights.get':
            // GET /?endpoint=flights.get&id=abc123
            $id = $_GET['id'] ?? '';
            if ($id === '') throw new InvalidArgumentException('Missing flight id');
            $data = $client->getFlightById($id);
            echo json_encode($data);
            break;

        default:
            http_response_code(404);
            echo json_encode(['error' => 'Unknown or unsupported endpoint']);
    }
} catch (Throwable $e) {
    http_response_code(400);
    echo json_encode(['error' => $e->getMessage()]);
}