<?php
/* Gemeinsamer API-Init für alle Bericht-API-Endpoints.
 *
 * - Lädt Dolibarr ohne Login (NOLOGIN), wir machen User-Auth selbst per JWT
 * - CORS für die PWA
 * - JSON Request/Response Helpers
 * - Authentifiziert per JWT (außer auth.php)
 */

if (!defined('NOLOGIN'))     define('NOLOGIN', '1');
if (!defined('NOCSRFCHECK')) define('NOCSRFCHECK', '1');
if (!defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1');
if (!defined('NOREQUIREMENU'))  define('NOREQUIREMENU', '1');
if (!defined('NOREQUIREHTML'))  define('NOREQUIREHTML', '1');
if (!defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX', '1');

$res = 0;
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) $res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;
while ($i > 0 && $j > 0 && isset($tmp[$i]) && isset($tmp2[$j]) && $tmp[$i] == $tmp2[$j]) { $i--; $j--; }
if (!$res && $i > 0 && file_exists(substr($tmp, 0, ($i + 1))."/main.inc.php")) $res = @include substr($tmp, 0, ($i + 1))."/main.inc.php";
if (!$res && $i > 0 && file_exists(dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php")) $res = @include dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php";
if (!$res && file_exists("../../main.inc.php")) $res = @include "../../main.inc.php";
if (!$res && file_exists("../../../main.inc.php")) $res = @include "../../../main.inc.php";
if (!$res) die("Include of main fails");

require_once __DIR__.'/_jwt.php';
require_once __DIR__.'/../class/bericht.class.php';
require_once __DIR__.'/../lib/bericht.lib.php';

// CORS — die PWA läuft auf der gleichen Domain (subpfad), aber wir sind defensiv
$allowed_origin = '*'; // bei Bedarf in Konstante BERICHT_API_CORS_ORIGIN packen
if (getDolGlobalString('BERICHT_API_CORS_ORIGIN')) {
    $allowed_origin = getDolGlobalString('BERICHT_API_CORS_ORIGIN');
}
header('Access-Control-Allow-Origin: '.$allowed_origin);
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization');
header('Access-Control-Max-Age: 86400');

if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    http_response_code(204);
    exit;
}

header('Content-Type: application/json; charset=utf-8');

function api_send($data, $code = 200)
{
    http_response_code($code);
    echo json_encode($data, JSON_UNESCAPED_UNICODE);
    exit;
}

function api_fail($msg, $code = 400)
{
    api_send(array('error' => $msg), $code);
}

function api_ok($data = array())
{
    api_send(array_merge(array('ok' => true), $data));
}

function api_input()
{
    $body = file_get_contents('php://input');
    if (!$body) return $_POST;
    $json = json_decode($body, true);
    return is_array($json) ? $json : $_POST;
}

/**
 * Lädt den User aus dem JWT und liefert das User-Objekt zurück.
 * Beendet bei ungültigem/fehlendem Token.
 */
function api_authenticate($db_param = null)
{
    global $db, $user, $conf;
    if ($db_param) $db = $db_param;

    $payload = bericht_jwt_from_request();
    if (!$payload || empty($payload['sub'])) {
        api_fail('Token ungültig oder fehlt', 401);
    }

    require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
    $u = new User($db);
    if ($u->fetch((int) $payload['sub']) <= 0) {
        api_fail('User nicht gefunden', 401);
    }
    if (empty($u->statut)) {
        api_fail('User deaktiviert', 401);
    }
    $u->loadRights();
    $user = $u;

    if (!$user->hasRight('bericht', 'read')) {
        api_fail('Keine Bericht-Rechte', 403);
    }
    return $user;
}