<?php
session_start();
//admin is hiding a little secret...
$secret_write = "redacted";
$secret_read = "redacted";
function gattos_tourlparams($data) {
    if(!$data) return "";
    return http_build_query($data);
}

function gattos_mkcall($opts) {
    $authserver = "https://gattoschat-api.hack.ax";

    $secret_read = $GLOBALS['secret_read'];
    $path = $opts['path'];
    $data = isset($opts['data']) ? $opts['data'] : null;
    $data['key'] = $secret_read;

    $response = file_get_contents($authserver . $path . "?" . gattos_tourlparams($data));
    if($opts['untrusted_ctx']??false) { //cors: true
        return null;
    }
    return $response;
}

function gattos_mkcall_superuser($opts) {
    if($opts['untrusted_ctx']??false) {
        return "!!!!!!!!!!!!!!!! ACCESSO COMPLETAMENTE NEGATO !!!!!!!!!!!!!!!!";
    }
    $authserver = "https://gattoschat-api.hack.ax";

    //Api token must be injected upstream
    $path = $opts['path'];
    $data = isset($opts['data']) ? $opts['data'] : null;

    $response = file_get_contents($authserver . $path . "?" . gattos_tourlparams($data));
    return $response;
}

if(isset($_SESSION['username'])) {
    function gattos_newnote($datx) {
        $data['key'] = $GLOBALS['secret_write'];
        $data['username'] = $_SESSION['username'];
        $data['note'] = substr($datx['note'], 0, 512); //max 512 chars
        return gattos_mkcall_superuser(array(
            'path' => '/dbmknote.php',
            'data' => $data,
        ));
    }
    function gattos_readnotes($data) {
        $answer = gattos_mkcall(array(
            'path' => '/dbread.php',
            'data' => [],
        ));
        $answer = json_decode($answer, true);
        return $answer['users'][$_SESSION['username']]['notes'];
    }
}
function gattos_register($data) {
    $data['key'] = $GLOBALS['secret_write'];
    $data['username'] = substr($data['username'], 0, 32); //max 32 chars
    $data['password'] = substr($data['password'], 0, 32); //max 32 chars
    return gattos_mkcall_superuser(array(
        'path' => '/dbmkaccount.php',
        'data' => $data,
    ));
}
function gattos_login($data) {
    $data['key'] = $GLOBALS['secret_read'];
    $data['username'] = substr($data['username'], 0, 32); //max 32 chars
    $data['password'] = substr($data['password'], 0, 32); //max 32 chars
    $response = gattos_mkcall(array(
        'path' => '/dbread.php',
        'data' => [],
    ));
    $response = json_decode($response, true);
    if(isset($response['users'][$data['username']]) && password_verify($data['password'], $response['users'][$data['username']]['password'])) {
        $_SESSION['username'] = $data['username'];
        return "Logged in OK";
    } else {
        return "Utente non trovato o pass sbagliata";
    }
}
// RPC handler
if(!isset($_GET['rpc']) || !$_GET['rpc'] || !is_string($_GET['rpc'])) {
    die("KO");
}

if(function_exists($_GET['rpc'])) {
    if(str_starts_with($_GET['rpc'], "gattos_") === false) {
        die("KO");
    }
    $func = $_GET['rpc'];
    $data = isset($_POST['data']) ? $_POST['data'] : [];
    $data['untrusted_ctx'] = true;
    $result = $func($data);
    header('Content-Type: application/json');
    echo json_encode(array(
        'result' => $result,
    ));
} else {
    die("ERROR! Non existing function or not logged in!");
}