<?php
// ============================================================
//  api/rater_groups.php
//
//  GET    /api/rater_groups                  — list groups + members + linked streamer (admin)
//  GET    /api/rater_groups?my=1             — my group(s) info (rater); returns array
//  POST   /api/rater_groups                  — create group, optional streamer_id (admin)
//  PUT    /api/rater_groups?id=N             — update group (rename, set/unset streamer_id) (admin)
//  DELETE /api/rater_groups?id=N             — delete group (admin)
//  POST   /api/rater_groups?members=1        — add member to group (admin)
//  DELETE /api/rater_groups?member=N         — remove member (admin)
// ============================================================

require_once __DIR__ . '/db.php';

cors();
start_session();

$method = $_SERVER['REQUEST_METHOD'];

// ── My groups — for logged-in raters (returns array of groups) ─
if ($method === 'GET' && isset($_GET['my'])) {
    $user = $_SESSION['oauth_user'] ?? null;
    if (!$user) json_error('Not logged in', 401);

    $stmt = db()->prepare("
        SELECT g.id, g.name, g.streamer_id
        FROM rater_groups g
        JOIN rater_group_members m ON m.group_id = g.id
        WHERE m.user_id = :uid
        ORDER BY g.name
    ");
    $stmt->execute([':uid' => $user['id']]);
    $groups = $stmt->fetchAll();
    json_out($groups);
}

// All remaining endpoints require admin
require_admin();

// ── GET — list all groups with members + linked streamer ────
if ($method === 'GET') {
    $groups = db()->query("
        SELECT g.id, g.name, g.streamer_id, g.created_at,
               s.name AS streamer_name
        FROM rater_groups g
        LEFT JOIN streamers s ON s.id = g.streamer_id
        ORDER BY g.name
    ")->fetchAll();

    foreach ($groups as &$g) {
        $stmt = db()->prepare("
            SELECT m.id AS member_id, m.role, u.id, u.provider, u.login, u.display_name, u.avatar
            FROM rater_group_members m
            JOIN users u ON u.id = m.user_id
            WHERE m.group_id = :gid
            ORDER BY (m.role = 'owner') DESC, m.added_at
        ");
        $stmt->execute([':gid' => $g['id']]);
        $g['members'] = $stmt->fetchAll();

        $stmt = db()->prepare("SELECT COUNT(*) FROM community_ratings WHERE group_id = :gid");
        $stmt->execute([':gid' => $g['id']]);
        $g['ratings_count'] = (int)$stmt->fetchColumn();
    }

    json_out($groups);
}

// ── POST — create group or add member ────────────────────────
if ($method === 'POST') {

    if (isset($_GET['members'])) {
        $body     = body();
        $group_id = (int)($body['group_id'] ?? 0);
        $login    = strtolower(trim($body['login'] ?? ''));
        $provider = in_array($body['provider'] ?? '', ['twitch','kick']) ? $body['provider'] : 'twitch';
        $role     = in_array($body['role'] ?? '', ['owner','rater']) ? $body['role'] : 'rater';

        if (!$group_id || empty($login)) json_error('Missing group_id or login');

        $stmt = db()->prepare("SELECT id, display_name FROM users WHERE LOWER(login)=:l AND provider=:p AND (banned IS NULL OR banned=false)");
        $stmt->execute([':l' => $login, ':p' => $provider]);
        $user = $stmt->fetch();

        if (!$user) json_error("User '$login' on $provider has not logged in yet or is banned.", 404);

        // Only one owner per team — promote, if owner role requested
        if ($role === 'owner') {
            db()->prepare("UPDATE rater_group_members SET role='rater' WHERE group_id=:gid AND role='owner'")
                ->execute([':gid' => $group_id]);
        }

        db()->prepare("
            INSERT INTO rater_group_members (group_id, user_id, role)
            VALUES (:gid, :uid, :role)
            ON CONFLICT (group_id, user_id) DO UPDATE SET role = EXCLUDED.role
        ")->execute([':gid' => $group_id, ':uid' => $user['id'], ':role' => $role]);

        json_out(['ok' => true, 'display_name' => $user['display_name'], 'role' => $role]);
    }

    $body        = body();
    $name        = trim($body['name'] ?? '');
    $streamer_id = !empty($body['streamer_id']) ? (int)$body['streamer_id'] : null;
    if (empty($name)) json_error('Missing name');

    try {
        $stmt = db()->prepare("
            INSERT INTO rater_groups (name, streamer_id)
            VALUES (:n, :sid)
            RETURNING id, name, streamer_id, created_at
        ");
        $stmt->execute([':n' => $name, ':sid' => $streamer_id]);
        json_out($stmt->fetch(), 201);
    } catch (PDOException $e) {
        $msg = $e->getMessage();
        if (str_contains($msg, 'rater_groups_name')) json_error('Group name already exists', 409);
        if (str_contains($msg, 'idx_rater_groups_streamer')) json_error('This streamer already has a team', 409);
        json_error('DB error: ' . $msg, 500);
    }
}

// ── PUT — update group (rename, link/unlink streamer) ────────
if ($method === 'PUT') {
    $id = (int)($_GET['id'] ?? 0);
    if (!$id) json_error('Missing id');
    $body = body();

    $sets = [];
    $params = [':id' => $id];
    if (array_key_exists('name', $body)) {
        $name = trim($body['name'] ?? '');
        if (empty($name)) json_error('Name cannot be empty');
        $sets[] = 'name = :name';
        $params[':name'] = $name;
    }
    if (array_key_exists('streamer_id', $body)) {
        $sets[] = 'streamer_id = :sid';
        $params[':sid'] = !empty($body['streamer_id']) ? (int)$body['streamer_id'] : null;
    }
    if (empty($sets)) json_error('Nothing to update');

    try {
        $stmt = db()->prepare("UPDATE rater_groups SET " . implode(', ', $sets) . " WHERE id = :id");
        $stmt->execute($params);
        json_out(['ok' => true]);
    } catch (PDOException $e) {
        $msg = $e->getMessage();
        if (str_contains($msg, 'rater_groups_name')) json_error('Group name already exists', 409);
        if (str_contains($msg, 'idx_rater_groups_streamer')) json_error('This streamer already has a team', 409);
        json_error('DB error', 500);
    }
}

// ── DELETE — remove group or member ──────────────────────────
if ($method === 'DELETE') {

    if (isset($_GET['member'])) {
        $id = (int)($_GET['member'] ?? 0);
        if (!$id) json_error('Missing member id');
        db()->prepare("DELETE FROM rater_group_members WHERE id=:id")->execute([':id' => $id]);
        json_out(['ok' => true]);
    }

    $id = (int)($_GET['id'] ?? 0);
    if (!$id) json_error('Missing id');
    db()->prepare("DELETE FROM rater_groups WHERE id=:id")->execute([':id' => $id]);
    json_out(['ok' => true]);
}

json_error('Method not allowed', 405);