<?php
/**
 * Media file serving controller
 *
 * Serves uploaded files that are stored outside the webroot (STORAGE_ROOT).
 * This is the sole access point for thesis files, covers, and annexes — they
 * are never exposed as direct filesystem paths from the web server.
 *
 * Security:
 *   - Strict character whitelist on the path parameter (no path traversal)
 *   - realpath() jail: resolved path must stay inside STORAGE_ROOT
 *   - MIME type verified against an allow-list before serving
 */
require_once __DIR__ . '/../config/bootstrap.php';

// --- 1. Extract and validate the requested path -------------------------------

$requestedPath = $_GET['path'] ?? '';

// Only allow safe characters: letters, digits, forward slashes, dots, hyphens, underscores.
// This explicitly rejects null bytes, backslashes, and sequences like "../".
if (!preg_match('#^[a-zA-Z0-9/_\-.]+$#', $requestedPath) || $requestedPath === '') {
    http_response_code(400);
    exit;
}

// --- 2. Resolve full filesystem path and enforce storage jail -----------------

$storageRoot = defined('STORAGE_ROOT') ? STORAGE_ROOT : '/var/www/posterg/storage';
$fullPath    = $storageRoot . '/' . $requestedPath;

$realStorage = realpath($storageRoot);
$realFull    = realpath($fullPath);

if (
    $realFull === false
    || $realStorage === false
    || strpos($realFull, $realStorage . '/') !== 0
) {
    http_response_code(404);
    exit;
}

if (!is_file($realFull)) {
    http_response_code(404);
    exit;
}

// --- 2b. Visibility gate: check access_type_id for thesis files ---------------
// Only applies to paths under theses/ (uploaded thesis content).
// Banners and covers are always public (no sensitivity).
if (preg_match('#^theses/#', $requestedPath)) {
    require_once __DIR__ . '/../src/Database.php';
    try {
        $mediaDb     = Database::getInstance();
        $accessTypeId = $mediaDb->getFileVisibility($requestedPath);
        if ($accessTypeId !== null && $accessTypeId === 3) {
            // 3 = Interdit — block entirely
            http_response_code(403);
            exit;
        }
        // 2 = Interne — allow (no session auth requirement for now; could add later)
    } catch (\Throwable $e) {
        // On DB error, fail open (don't block legitimate requests)
        error_log("media.php visibility check error: " . $e->getMessage());
    }
}

// --- 3. Verify MIME type from file content (not extension) --------------------

$finfo    = new finfo(FILEINFO_MIME_TYPE);
$mimeType = $finfo->file($realFull);

$allowedMimes = [
    'image/jpeg',
    'image/png',
    'image/gif',
    'application/pdf',
    'video/mp4',
    'application/zip',
    'text/vtt',       // WebVTT caption sidecar files
];

// finfo may return 'text/plain' for WebVTT files on some systems;
// re-classify by extension so we don't block them.
if ($mimeType === 'text/plain' && strtolower(pathinfo($realFull, PATHINFO_EXTENSION)) === 'vtt') {
    $mimeType = 'text/vtt';
}

if (!in_array($mimeType, $allowedMimes, true)) {
    http_response_code(403);
    exit;
}

// --- 4. Send response headers -------------------------------------------------

header('Content-Type: ' . $mimeType);
header('Content-Length: ' . filesize($realFull));
header('X-Content-Type-Options: nosniff');

$ext = strtolower(pathinfo($realFull, PATHINFO_EXTENSION));

if (in_array($ext, ['jpg', 'jpeg', 'png', 'gif'], true)) {
    // Images: cache publicly for 7 days
    header('Cache-Control: public, max-age=604800');
} elseif ($ext === 'pdf') {
    // PDFs: cache for 1 day, display inline
    header('Cache-Control: public, max-age=86400');
    header('Content-Disposition: inline');
} elseif ($ext === 'vtt') {
    // WebVTT captions: serve as text/vtt, cache 1 day
    header('Content-Type: text/vtt; charset=utf-8');
    header('Cache-Control: public, max-age=86400');
} else {
    // Everything else: no public caching
    header('Cache-Control: private, no-store');
}

// --- 5. Stream file -----------------------------------------------------------

readfile($realFull);