<?php
// ============================================================
//  api/moderators.php
//
//  GET    /api/moderators           — list moderators (admin)
//  GET    /api/moderators?users=1   — list all OAuth users (admin)
//  POST   /api/moderators           — add mod by username (admin)
//  DELETE /api/moderators?id=N      — revoke mod (admin)
//  POST   /api/moderators?ban=1     — ban user (admin)
//  DELETE /api/moderators?unban=N   — unban user (admin)
// ============================================================

require_once __DIR__ . '/db.php';

cors();
require_admin();

$method = $_SERVER['REQUEST_METHOD'];

// ------------------------------------------------------------------
// GET
// ------------------------------------------------------------------
if ($method === 'GET') {

    if (isset($_GET['users'])) {
        // All OAuth users with their role
        $rows = db()->query("
            SELECT u.id, u.provider, u.login, u.display_name, u.avatar,
                   u.created_at, u.last_seen, u.banned,
                   CASE WHEN m.id IS NOT NULL THEN true ELSE false END AS is_mod
            FROM users u
            LEFT JOIN moderators m ON m.user_id = u.id
            ORDER BY u.last_seen DESC
            LIMIT 200
        ")->fetchAll();
        json_out($rows);
    }

    // Moderators list
    $rows = db()->query("
        SELECT m.id AS mod_id, m.created_at, m.granted_by,
               u.id, u.provider, u.login, u.display_name, u.avatar
        FROM moderators m
        JOIN users u ON u.id = m.user_id
        ORDER BY m.created_at DESC
    ")->fetchAll();
    json_out($rows);
}

// ------------------------------------------------------------------
// POST — add mod or ban
// ------------------------------------------------------------------
if ($method === 'POST') {

    // Ban user
    if (isset($_GET['ban'])) {
        $body    = body();
        $user_id = (int)($body['user_id'] ?? 0);
        if (!$user_id) json_error('Missing user_id');
        db()->prepare("UPDATE users SET banned=true WHERE id=:id")->execute([':id' => $user_id]);
        // Also remove mod if banned
        db()->prepare("DELETE FROM moderators WHERE user_id=:id")->execute([':id' => $user_id]);
        json_out(['ok' => true]);
    }

    // Add moderator by username
    $body     = body();
    $login    = strtolower(trim($body['login']    ?? ''));
    $provider = in_array($body['provider'] ?? '', ['twitch','kick']) ? $body['provider'] : 'twitch';

    if (empty($login)) json_error('Missing login');

    $stmt = db()->prepare("SELECT id, display_name FROM users WHERE LOWER(login)=:l AND provider=:p AND (banned IS NULL OR banned=false)");
    $stmt->execute([':l' => $login, ':p' => $provider]);
    $user = $stmt->fetch();

    if (!$user) {
        json_error("Uživatel '$login' na $provider se zatím nepřihlásil nebo je zabanován.", 404);
    }

    db()->prepare("INSERT INTO moderators (user_id, granted_by) VALUES (:uid,'admin') ON CONFLICT (user_id) DO NOTHING")
        ->execute([':uid' => $user['id']]);
    json_out(['ok' => true, 'display_name' => $user['display_name']]);
}

// ------------------------------------------------------------------
// DELETE — revoke mod or unban
// ------------------------------------------------------------------
if ($method === 'DELETE') {

    // Unban
    if (isset($_GET['unban'])) {
        $user_id = (int)($_GET['unban'] ?? 0);
        if (!$user_id) json_error('Missing user_id');
        db()->prepare("UPDATE users SET banned=false WHERE id=:id")->execute([':id' => $user_id]);
        json_out(['ok' => true]);
    }

    // Remove mod
    $id = (int)($_GET['id'] ?? 0);
    if (!$id) json_error('Missing id');
    db()->prepare("DELETE FROM moderators WHERE id=:id")->execute([':id' => $id]);
    json_out(['ok' => true]);
}

json_error('Method not allowed', 405);