<?php
// API endpoint for revoking API keys (Admin only)
error_reporting(E_ALL);
ini_set('display_errors', 0);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

ob_start();

try {
    // Load config
    require_once dirname(__DIR__) . '/config/config.php';
    require_once dirname(__DIR__) . '/helpers/Database.php';

    // Load models
    require_once dirname(__DIR__) . '/models/ApiKeyModel.php';
    require_once dirname(__DIR__) . '/models/AuditLogModel.php';

    // Check authentication via session
    session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // Check admin privileges
    if (!isset($_SESSION['user']['is_admin']) || !$_SESSION['user']['is_admin']) {
        throw new Exception("Admin privileges required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            throw new Exception("Invalid CSRF token");
        }
    }

    // Only allow POST
    if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
        http_response_code(405);
        throw new Exception("Method not allowed");
    }

    // Get request data
    $input = json_decode(file_get_contents('php://input'), true);
    if (!$input) {
        throw new Exception("Invalid request data");
    }

    $keyId = (int)($input['key_id'] ?? 0);

    if ($keyId <= 0) {
        throw new Exception("Valid key ID is required");
    }

    // Use centralized database connection
    $conn = Database::getConnection();

    // Get key info for audit log
    $apiKeyModel = new ApiKeyModel($conn);
    $keyInfo = $apiKeyModel->getKeyById($keyId);

    if (!$keyInfo) {
        throw new Exception("API key not found");
    }

    if (!$keyInfo['is_active']) {
        throw new Exception("API key is already revoked");
    }

    // Revoke the key
    $success = $apiKeyModel->revokeKey($keyId);

    if (!$success) {
        throw new Exception("Failed to revoke API key");
    }

    // Log the action
    $auditLog = new AuditLogModel($conn);
    $auditLog->log(
        $_SESSION['user']['user_id'],
        'revoke',
        'api_key',
        $keyId,
        ['key_name' => $keyInfo['key_name'], 'key_prefix' => $keyInfo['key_prefix']]
    );

    // Clear output buffer
    ob_end_clean();

    // Return success
    header('Content-Type: application/json');
    echo json_encode([
        'success' => true,
        'message' => 'API key revoked successfully'
    ]);

} catch (Exception $e) {
    ob_end_clean();
    header('Content-Type: application/json');
    http_response_code(isset($conn) ? 400 : 500);
    echo json_encode([
        'success' => false,
        'error' => $e->getMessage()
    ]);
}