<?php

declare(strict_types=1);

// Basic session management and security headers
session_start([
    'cookie_httponly' => true,
    'cookie_secure' => isset($_SERVER['HTTPS']),
    'cookie_samesite' => 'Lax'
]);
header("X-Frame-Options: DENY");
header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: no-referrer-when-downgrade");

require_once __DIR__ . '/../vendor/autoload.php';

use App\Database\Connection;
use App\Util\Config;

// Load environment variables
try {
    Config::load(__DIR__ . '/../');
} catch (Exception $e) {
    http_response_code(500);
    die("FATAL ERROR: Could not load environment configuration. " . $e->getMessage());
}

// Set error reporting based on environment
if (Config::get('APP_ENV') === 'development') {
    ini_set('display_errors', '1');
    error_reporting(E_ALL);
} else {
    ini_set('display_errors', '0');
    error_reporting(0);
}

// Simple authentication check
function is_logged_in(): bool
{
    return isset($_SESSION['is_logged_in']) && $_SESSION['is_logged_in'] === true;
}

// CSRF Token Generation & Validation
function generate_csrf_token(): void
{
    if (empty($_SESSION['csrf_token'])) {
        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
    }
}

function validate_csrf_token(): bool
{
    return isset($_POST['csrf_token']) && hash_equals($_SESSION['csrf_token'], $_POST['csrf_token']);
}

generate_csrf_token();

// Simple router
$page = $_GET['page'] ?? 'dashboard';

// Redirect to login if not authenticated and not on the login page
if (!is_logged_in() && $page !== 'login') {
    header('Location: index.php?page=login');
    exit;
}

// Establish DB connection for the controllers that need it
$pdo = null;
try {
    $pdo = Connection::getInstance();
} catch (PDOException $e) {
    // In a real app, you'd show a more user-friendly error page
    die("Database connection failed: " . $e->getMessage());
}

// Route to the correct controller/logic
switch ($page) {
    case 'login':
        $controller = new App\Controllers\AuthController();
        $controller->index();
        break;
    case 'logout':
        $controller = new App\Controllers\AuthController();
        $controller->logout();
        break;
    case 'dashboard':
        $controller = new App\Controllers\DashboardController();
        $controller->index();
        break;
    case 'import':
        $controller = new App\Controllers\ImportController($pdo);
        $controller->index();
        break;
    case 'query':
        $controller = new App\Controllers\QueryController($pdo);
        $controller->index();
        break;
    case 'query-results':
        $controller = new App\Controllers\QueryController($pdo);
        $controller->results();
        break;
    case 'export':
        $controller = new App\Controllers\QueryController($pdo);
        $controller->export();
        break;
    default:
        http_response_code(404);
        echo '<h1>404 Not Found</h1>';
        break;
}