<?php
header("Content-Type: application/json; charset=UTF-8");
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: GET, POST, DELETE, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type, Authorization");
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') exit;

define('ENCRYPTION_KEY', 'MaCleSecreteSuperRobuste123!');
$pdo = new PDO("mysql:host=localhost;dbname=mon_cinema;charset=utf8mb4", "root", "", [
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
]);

function checkAuth($pdo) {
    $stmt = $pdo->query("SELECT COUNT(*) FROM users");
    if ($stmt->fetchColumn() == 0) return;
    $token = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
    if ($token !== md5(ENCRYPTION_KEY . 'session')) {
        http_response_code(403);
        echo json_encode(["error" => "Non autorisé"]);
        exit;
    }
}

function saveFilm($pdo, $data, $isUpdate = false) {
    $type = $data['type'] ?? 'critique';
    $table = ($type === 'videotheque') ? 'videotheque' : 'critiques';
    
    $allowedFields = [
        'title', 'year', 'director', 'poster', 
        'rating', 'review', 'streaming', 
        'format', 'length', 'publisher', 'aspect_ratio', 'ean_isbn13', 'number_of_discs', 'description'
    ];
    
    $fields = [];
    $values = [];
    foreach ($allowedFields as $field) {
        if (array_key_exists($field, $data)) {
            $fields[] = $field;
            $values[] = $data[$field];
        }
    }
    
    if ($isUpdate && !empty($data['id'])) {
        $setClause = implode('=?,', $fields) . '=?';
        $values[] = $data['id'];
        $stmt = $pdo->prepare("UPDATE $table SET $setClause WHERE id = ?");
        $stmt->execute($values);
    } else {
        $placeholders = implode(',', array_fill(0, count($fields), '?'));
        $columns = implode(',', $fields);
        $stmt = $pdo->prepare("INSERT INTO $table ($columns) VALUES ($placeholders)");
        $stmt->execute($values);
    }
    echo json_encode(["success" => true]);
}

$action = $_GET['action'] ?? '';
$data = json_decode(file_get_contents('php://input'), true) ?? [];

switch ($action) {
    case 'get_films':
        $crit = $pdo->query("SELECT *, 'critique' AS type FROM critiques")->fetchAll();
        $video = $pdo->query("SELECT *, 'videotheque' AS type FROM videotheque")->fetchAll();
        echo json_encode(array_merge($crit, $video));
        break;
        
    case 'login':
        $stmt = $pdo->query("SELECT COUNT(*) FROM users");
        if ($stmt->fetchColumn() == 0) {
            echo json_encode(["success" => true, "token" => md5(ENCRYPTION_KEY . 'session'), "blank" => true]);
        } else {
            $stmt = $pdo->prepare("SELECT password_hash FROM users WHERE username = 'admin'");
            $stmt->execute();
            $user = $stmt->fetch();
            if ($user && password_verify($data['password'] ?? '', $user['password_hash'])) {
                echo json_encode(["success" => true, "token" => md5(ENCRYPTION_KEY . 'session'), "blank" => false]);
            } else {
                http_response_code(401);
                echo json_encode(["error" => "Erreur"]);
            }
        }
        break;
        
    case 'bulk_delete':
        checkAuth($pdo);
        $ids = $data['ids'] ?? [];
        $type = $data['type'] ?? 'critique'; // BUG CORRIGÉ : Vérification de l'existence
        $table = ($type === 'videotheque') ? 'videotheque' : 'critiques';
        if (!empty($ids)) {
            $placeholders = implode(',', array_fill(0, count($ids), '?'));
            $stmt = $pdo->prepare("DELETE FROM $table WHERE id IN ($placeholders)");
            $stmt->execute($ids);
            echo json_encode(["success" => true]);
        }
        break;
        
    case 'delete_film':
        checkAuth($pdo);
        $type = $_GET['type'] ?? 'critique'; // BUG CORRIGÉ : Vérification de l'existence
        $table = ($type === 'videotheque') ? 'videotheque' : 'critiques';
        $stmt = $pdo->prepare("DELETE FROM $table WHERE id = ?");
        $stmt->execute([$_GET['id']]);
        echo json_encode(["success" => true]);
        break;

    case 'add_film':
        checkAuth($pdo);
        saveFilm($pdo, $data, false);
        break;

    case 'update_film':
        checkAuth($pdo);
        saveFilm($pdo, $data, true);
        break;

    case 'change_password':
        checkAuth($pdo);
        $pass = $data['password'] ?? '';
        if ($pass) {
            $hash = password_hash($pass, PASSWORD_DEFAULT);
            $stmt = $pdo->prepare("UPDATE users SET password_hash = ? WHERE username = 'admin'");
            $stmt->execute([$hash]);
        }
        echo json_encode(["success" => true]);
        break;

    case 'import_csv':
        checkAuth($pdo);
        if (isset($_FILES['file'])) {
            $file = $_FILES['file']['tmp_name'];
            $type = $_POST['type'] ?? 'critique';
            $table = ($type === 'videotheque') ? 'videotheque' : 'critiques';
            
            if (($handle = fopen($file, "r")) !== FALSE) {
                $header = fgetcsv($handle, 0, ",");
                while (($row = fgetcsv($handle, 0, ",")) !== FALSE) {
                    $rowData = array_combine($header, $row);
                    saveFilm($pdo, array_merge($rowData, ['type' => $type]), false);
                }
                fclose($handle);
            }
            echo json_encode(["success" => true]);
        }
        break;
}