<?php
// ============================================================
//  api/settings.php
//
//  GET /api/settings      — get all settings (public)
//  PUT /api/settings      — update settings (admin only)
// ============================================================

require_once __DIR__ . '/db.php';

cors();

if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $rows = db()->query("SELECT key, value FROM settings")->fetchAll();
    $out  = [];
    foreach ($rows as $r) {
        $out[$r['key']] = $r['value'];
    }
    json_out($out);
}

if ($_SERVER['REQUEST_METHOD'] === 'PUT') {
    require_admin();

    $body    = body();
    $allowed = ['auth_enabled', 'auth_twitch_enabled', 'auth_kick_enabled'];

    $db   = db();
    $stmt = $db->prepare("INSERT INTO settings (key, value) VALUES (:k, :v) ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value");

    foreach ($allowed as $key) {
        if (isset($body[$key])) {
            $val = $body[$key] === true || $body[$key] === 'true' ? 'true' : 'false';
            $stmt->execute([':k' => $key, ':v' => $val]);
        }
    }

    json_out(['ok' => true]);
}

json_error('Method not allowed', 405);