<?php
header('Content-Type: application/json');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Content-Security-Policy: default-src \'self\'');

session_start();

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (!isset($_SESSION['csrf_token']) || !isset($_SERVER['HTTP_X_CSRF_TOKEN']) || 
        $_SESSION['csrf_token'] !== $_SERVER['HTTP_X_CSRF_TOKEN']) {
        http_response_code(403);
        die(json_encode(['error' => 'Invalid CSRF token']));
    }
}

$config = require 'config.php';
$db = new PDO(
    "mysql:host={$config['db']['host']};dbname={$config['db']['name']}", 
    $config['db']['user'], 
    $config['db']['pass']
);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $limit = isset($_GET['limit']) ? (int)$_GET['limit'] : 50;
    $limit = min(max(1, $limit), 100);
    
    try {
        $stmt = $db->prepare("SELECT username, message, created_at, signature, is_encrypted FROM messages ORDER BY created_at DESC LIMIT ?");
        $stmt->execute([$limit]);
        $messages = $stmt->fetchAll(PDO::FETCH_ASSOC);
        
        $filtered_messages = array_map(function($msg) {
            return [
                'username' => htmlspecialchars($msg['username']),
                'message' => $msg['is_encrypted'] ? '[Encrypted]' : htmlspecialchars($msg['message']),
                'created_at' => $msg['created_at'],
                'signature' => $msg['signature'] ? '[Signed]' : '',
                'is_encrypted' => (bool)$msg['is_encrypted']
            ];
        }, $messages);
        
        echo json_encode(['messages' => $filtered_messages]);
    } catch (Exception $e) {
        error_log("API Error: " . $e->getMessage());
        http_response_code(500);
        echo json_encode(['error' => 'Server error']);
    }
    exit;
}

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    die(json_encode(['error' => 'Method not allowed']));
}

$ip = $_SERVER['REMOTE_ADDR'];
$stmt = $db->prepare("SELECT COUNT(*) FROM messages WHERE username = ? AND created_at > DATE_SUB(NOW(), INTERVAL 1 MINUTE)");
$stmt->execute([$ip]);
if ($stmt->fetchColumn() > 10) {
    http_response_code(429);
    die(json_encode(['error' => 'Too many requests']));
}

$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
    http_response_code(400);
    die(json_encode(['error' => 'Invalid JSON']));
}

$username = filter_var($input['username'] ?? '', FILTER_SANITIZE_STRING);
$message = $input['message'] ?? '';
$signature = $input['signature'] ?? '';
$is_encrypted = !empty($input['encrypted']) ? 1 : 0;

if (!$username || !$message || strlen($username) > 50 || strlen($message) > 10000) {
    http_response_code(400);
    die(json_encode(['error' => 'Invalid input']));
}

try {
    $stmt = $db->prepare('SELECT id FROM users WHERE username = ?');
    $stmt->execute([$username]);
    if ($stmt->fetch()) {
        http_response_code(400);
        die(json_encode(['error' => 'Username already registered']));
    }

    $stmt = $db->prepare('INSERT INTO messages (username, message, signature, is_encrypted) VALUES (?, ?, ?, ?)');
    $stmt->execute([$username, $message, $signature, $is_encrypted]);
    echo json_encode(['success' => true]);
} catch (Exception $e) {
    error_log("API Error: " . $e->getMessage());
    http_response_code(500);
    echo json_encode(['error' => 'Server error']);
}