tinker_tickets/api/user_preferences.php

<?php
/**
 * User Preferences API Endpoint
 * Handles GET (fetch preferences) and POST (update preference)
 */

require_once __DIR__ . '/bootstrap.php';
require_once dirname(__DIR__) . '/models/UserPreferencesModel.php';

$prefsModel = new UserPreferencesModel($conn);

// GET - Fetch all preferences for user
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    try {
        $prefs = $prefsModel->getUserPreferences($userId);
        apiRespond(['success' => true, 'preferences' => $prefs]);
    } catch (Exception $e) {
        http_response_code(500);
        apiRespond(['success' => false, 'error' => 'Failed to fetch preferences']);
    }
    exit;
}

// POST - Update preference(s)
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $data = json_decode(file_get_contents('php://input'), true);

    // Validate preference key (whitelist)
    $validKeys = [
        'rows_per_page',
        'default_status_filters',
        'table_density',
        'notifications_enabled',
        'sound_effects',
        'toast_duration'
    ];

    // Support batch save: { preferences: { key: value, ... } }
    if (isset($data['preferences']) && is_array($data['preferences'])) {
        try {
            foreach ($data['preferences'] as $key => $value) {
                $key = trim($key);
                if (!in_array($key, $validKeys)) continue;
                $prefsModel->setPreference($userId, $key, $value);
                if ($key === 'rows_per_page') {
                    setcookie('ticketsPerPage', $value, ['expires' => time() + (86400 * 365), 'path' => '/', 'httponly' => true, 'secure' => true, 'samesite' => 'Lax']);
                }
            }
            apiRespond(['success' => true]);
        } catch (Exception $e) {
            http_response_code(500);
            apiRespond(['success' => false, 'error' => 'Failed to save preferences']);
        }
        exit;
    }

    // Single preference: { key, value }
    if (!isset($data['key']) || !isset($data['value'])) {
        http_response_code(400);
        apiRespond(['success' => false, 'error' => 'Missing key or value']);
        exit;
    }

    $key = trim($data['key']);
    $value = $data['value'];

    if (!in_array($key, $validKeys)) {
        http_response_code(400);
        apiRespond(['success' => false, 'error' => 'Invalid preference key']);
        exit;
    }

    try {
        $success = $prefsModel->setPreference($userId, $key, $value);

        // Also update cookie for rows_per_page for backwards compatibility
        if ($key === 'rows_per_page') {
            setcookie('ticketsPerPage', $value, time() + (86400 * 365), '/');
        }

        apiRespond(['success' => $success]);
    } catch (Exception $e) {
        http_response_code(500);
        apiRespond(['success' => false, 'error' => 'Failed to save preference']);
    }
    exit;
}

// DELETE - Delete a preference (optional endpoint)
if ($_SERVER['REQUEST_METHOD'] === 'DELETE') {
    $data = json_decode(file_get_contents('php://input'), true);

    if (!isset($data['key'])) {
        http_response_code(400);
        apiRespond(['success' => false, 'error' => 'Missing key']);
        exit;
    }

    try {
        $success = $prefsModel->deletePreference($userId, $data['key']);
        apiRespond(['success' => $success]);
    } catch (Exception $e) {
        http_response_code(500);
        apiRespond(['success' => false, 'error' => 'Failed to delete preference']);
    }
    exit;
}

// Method not allowed
http_response_code(405);
apiRespond(['success' => false, 'error' => 'Method not allowed']);