<?php
// API endpoint for generating API keys (Admin only)
error_reporting(E_ALL);
ini_set('display_errors', 0);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

ob_start();

try {
    // Load config
    require_once dirname(__DIR__) . '/config/config.php';
    require_once dirname(__DIR__) . '/helpers/Database.php';

    // Load models
    require_once dirname(__DIR__) . '/models/ApiKeyModel.php';
    require_once dirname(__DIR__) . '/models/AuditLogModel.php';

    // Check authentication via session
    session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // Check admin privileges
    if (!isset($_SESSION['user']['is_admin']) || !$_SESSION['user']['is_admin']) {
        throw new Exception("Admin privileges required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            throw new Exception("Invalid CSRF token");
        }
    }

    // Only allow POST
    if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
        http_response_code(405);
        throw new Exception("Method not allowed");
    }

    // Get request data
    $input = json_decode(file_get_contents('php://input'), true);
    if (!$input) {
        throw new Exception("Invalid request data");
    }

    $keyName = trim($input['key_name'] ?? '');
    $expiresInDays = $input['expires_in_days'] ?? null;

    if (empty($keyName)) {
        throw new Exception("Key name is required");
    }

    if (strlen($keyName) > 100) {
        throw new Exception("Key name must be 100 characters or less");
    }

    // Validate expires_in_days if provided
    if ($expiresInDays !== null && $expiresInDays !== '') {
        $expiresInDays = (int)$expiresInDays;
        if ($expiresInDays < 1 || $expiresInDays > 3650) {
            throw new Exception("Expiration must be between 1 and 3650 days");
        }
    } else {
        $expiresInDays = null;
    }

    // Use centralized database connection
    $conn = Database::getConnection();

    // Generate API key
    $apiKeyModel = new ApiKeyModel($conn);
    $result = $apiKeyModel->createKey($keyName, $_SESSION['user']['user_id'], $expiresInDays);

    if (!$result['success']) {
        throw new Exception($result['error'] ?? "Failed to generate API key");
    }

    // Log the action
    $auditLog = new AuditLogModel($conn);
    $auditLog->log(
        $_SESSION['user']['user_id'],
        'create',
        'api_key',
        $result['key_id'],
        ['key_name' => $keyName, 'expires_in_days' => $expiresInDays]
    );

    // Clear output buffer
    ob_end_clean();

    // Return success with the plaintext key (shown only once)
    header('Content-Type: application/json');
    echo json_encode([
        'success' => true,
        'api_key' => $result['api_key'],
        'key_prefix' => $result['key_prefix'],
        'key_id' => $result['key_id'],
        'expires_at' => $result['expires_at']
    ]);

} catch (Exception $e) {
    ob_end_clean();
    error_log("Generate API key error: " . $e->getMessage());
    header('Content-Type: application/json');
    http_response_code(isset($conn) ? 400 : 500);
    echo json_encode([
        'success' => false,
        'error' => 'An internal error occurred'
    ]);
}