<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[settings.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | section=' . ($_POST['section'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();

if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    App::flash('error', "Erreur de sécurité : token invalide.");
    header('Location: /admin/parametres.php');
    exit;
}

require_once APP_ROOT . '/src/Database.php';
require_once APP_ROOT . '/src/SmtpRelay.php';
require_once APP_ROOT . '/src/PeerTubeService.php';
require_once APP_ROOT . '/src/AdminLogger.php';
$db     = new Database();
$logger = AdminLogger::make();

$isHxRequest = (isset($_SERVER['HTTP_HX_REQUEST']) && $_SERVER['HTTP_HX_REQUEST'] === 'true');
$section = $_POST['section'] ?? '';

if ($section === 'formulaire') {
    $allowed = [
        'access_type_libre_enabled',
        'access_type_interne_enabled',
        'access_type_interdit_enabled',
        'restricted_files_enabled'
    ];
    $newValues = [];
    foreach ($allowed as $key) {
        $value = isset($_POST[$key]) ? '1' : '0';
        $db->setSetting($key, $value);
        $newValues[$key] = $value;
    }
    $logger->logFormSettingsUpdate($newValues);
    if (!$isHxRequest) {
        App::flash('success', "Paramètres du formulaire mis à jour.");
    }
} elseif ($section === 'objet_types') {
    $newValues = [
        'objet_these_enabled' => isset($_POST['objet_these_enabled']) ? '1' : '0',
        'objet_frart_enabled' => isset($_POST['objet_frart_enabled']) ? '1' : '0',
    ];
    $db->setSetting('objet_these_enabled', $newValues['objet_these_enabled']);
    $db->setSetting('objet_frart_enabled', $newValues['objet_frart_enabled']);
    $logger->logObjetTypesUpdate($newValues);
    if (!$isHxRequest) {
        App::flash('success', "Types de travaux mis à jour.");
    }
} elseif ($section === 'smtp') {
    $smtpData = [
        'host'         => $_POST['smtp_host']         ?? '',
        'port'         => $_POST['smtp_port']         ?? 587,
        'encryption'   => $_POST['smtp_encryption']   ?? 'tls',
        'username'     => $_POST['smtp_username']     ?? '',
        'from_email'   => $_POST['smtp_from_email']   ?? '',
        'from_name'    => $_POST['smtp_from_name']    ?? 'XAMXAM',
        'notify_email' => $_POST['smtp_notify_email'] ?? '',
    ];
    // Only update password when user actually typed something.
    $pwd = $_POST['smtp_password'] ?? '';
    if ($pwd !== '') {
        $smtpData['password'] = $pwd;
    }
    SmtpRelay::updateSettings($db, $smtpData);

    // Immediately probe the server to validate credentials
    $test = SmtpRelay::test($db);
    $logger->logSmtpUpdate($test['ok']);
    if ($test['ok']) {
        App::flash('success', "Paramètres SMTP mis à jour — connexion validée ✓");
    } else {
        App::flash('error', "Paramètres sauvegardés, mais le test de connexion a échoué : " . $test['error']);
        if ($test['field'] !== null) {
            $_SESSION['_flash_smtp_field'] = $test['field'];
        }
    }
} elseif ($section === 'peertube') {
    // Feature flag
    $enabled = isset($_POST['peertube_upload_enabled']) ? '1' : '0';
    $db->setSetting('peertube_upload_enabled', $enabled);

    // Credentials — only overwrite password when user typed something
    $data = [
        'instance_url' => $_POST['peertube_instance_url'] ?? '',
        'username'     => $_POST['peertube_username']     ?? '',
        'channel_id'   => $_POST['peertube_channel_id']  ?? 1,
        'privacy'      => $_POST['peertube_privacy']      ?? 1,
    ];
    $pwd = $_POST['peertube_password'] ?? '';
    if ($pwd !== '') {
        $data['password'] = $pwd;
    }
    PeerTubeService::updateSettings($db, $data);
    $logger->logPeerTubeUpdate($enabled === '1');
    App::flash('success', 'Paramètres PeerTube mis à jour.');
} else {
    App::flash('error', "Section inconnue.");
}

$_SESSION['csrf_token'] = bin2hex(random_bytes(32));

if ($isHxRequest) {
    // Return updated CSRF tokens for all three hidden inputs on the page
    $newToken = htmlspecialchars($_SESSION['csrf_token']);
    echo '<input type="hidden" id="csrf_token_files" value="' . $newToken . '" hx-swap-oob="true">';
    echo '<input type="hidden" id="csrf_token_acces" value="' . $newToken . '" hx-swap-oob="true">';
    echo '<input type="hidden" id="csrf_token_types" value="' . $newToken . '" hx-swap-oob="true">';
    exit;
}

header('Location: /admin/parametres.php');
exit;