<?php
session_start();
include_once('connection.php');
require_once("functions.php");
require_once("env.php");

$response = array('status' => 'error', 'message' => 'Something went wrong');

// Check if the user is logged in
if (!isset($_SESSION['user_id'])) {
    $response['message'] = 'You are not logged in.';
    echo json_encode($response);
    exit();
}

$user_id = $_SESSION['user_id'];

// Handle profile picture upload
if (isset($_FILES['profile_picture']) && $_FILES['profile_picture']['error'] != UPLOAD_ERR_NO_FILE) {
    // Validate file using hardened validation function
    $validationResult = validateFileUpload($_FILES['profile_picture'], 'profile_picture');
    
    if ($validationResult === false) {
        $response['message'] = 'Invalid file. Only JPG, JPEG, PNG, GIF, and WEBP images under 5MB are allowed.';
        echo json_encode($response);
        exit();
    }
    
    // Extract validated filename
    $randomFilename = $validationResult['filename'];
    $target_dir = "assets/images/pp/";
    $target_file = $target_dir . $randomFilename;
    
    // Ensure upload directory exists and is writable
    if (!is_dir($target_dir)) {
        mkdir($target_dir, 0755, true);
    }
    
    if (!is_writable($target_dir)) {
        $response['message'] = 'Upload directory is not writable.';
        echo json_encode($response);
        exit();
    }
    
    // Move the uploaded file
    if (move_uploaded_file($_FILES['profile_picture']['tmp_name'], $target_file)) {
        // Set secure file permissions (readable but not executable)
        chmod($target_file, 0644);
        
        // Update the profile picture path in the database
        $sql = "UPDATE users SET profile_pic = ? WHERE user_id = ?";
        $stmt = $conn->prepare($sql);
        if (!$stmt) {
            $response['message'] = 'Database error.';
            echo json_encode($response);
            exit();
        }
        
        $stmt->bind_param("si", $target_file, $user_id);
        if ($stmt->execute()) {
            $_SESSION['profile_pic'] = $target_file;
            $response['status'] = 'success';
            $response['message'] = 'Profile picture updated successfully';
            
            // Log the action
            auditLog($user_id, 'PROFILE_PIC_UPLOAD', 'users', $user_id, ['filename' => $randomFilename]);
        } else {
            $response['message'] = 'Failed to update profile picture in the database';
        }
        $stmt->close();
    } else {
        $response['message'] = 'Failed to move uploaded file.';
    }
} else {
    $response['message'] = 'No file uploaded or file error.';
}

echo json_encode($response);
?>