<?php
/**
 * WEVAL Google API Wrapper — uses Service Account
 * Usage: /api/google-api.php?action=drive-list|gmail-list|calendar-list
 * SA: /var/www/weval/gcloud-sa.json (jmapp-645@engaged-plasma-352110)
 */
header('Content-Type: application/json');

$SA = json_decode(file_get_contents('/var/www/weval/gcloud-sa.json'), true);
if (!$SA) die(json_encode(['error'=>'SA not found']));

$action = $_GET['action'] ?? $_POST['action'] ?? '';
if (!$action) die(json_encode(['error'=>'no action','available'=>['drive-list','gmail-send','calendar-list','sheets-create','test']]));

// JWT token génération for SA
function getAccessToken($sa, $scopes) {
    $header = base64url(json_encode(['alg'=>'RS256','typ'=>'JWT']));
    $now = time();
    $claim = base64url(json_encode([
        'iss' => $sa['client_email'],
        'scope' => implode(' ', $scopes),
        'aud' => 'https://oauth2.googleapis.com/token',
        'iat' => $now,
        'exp' => $now + 3600,
        'sub' => $sa['client_email']
    ]));
    $sig_input = "$header.$claim";
    openssl_sign($sig_input, $sig, $sa['private_key'], 'SHA256');
    $jwt = "$sig_input." . base64url($sig);
    
    $ch = curl_init('https://oauth2.googleapis.com/token');
    curl_setopt_array($ch, [
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query([
            'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
            'assertion' => $jwt
        ]),
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_TIMEOUT => 10
    ]);
    $resp = json_decode(curl_exec($ch), true);
    curl_close($ch);
    return $resp['access_token'] ?? null;
}

function base64url($data) {
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}

function apiCall($url, $token, $method = 'GET', $body = null) {
    $ch = curl_init($url);
    $headers = ['Authorization: Bearer ' . $token];
    if ($body) {
        $headers[] = 'Content-Type: application/json';
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($body));
    }
    curl_setopt_array($ch, [
        CURLOPT_HTTPHEADER => $headers,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_TIMEOUT => 15,
        CURLOPT_CUSTOMREQUEST => $method
    ]);
    $resp = curl_exec($ch);
    $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    return ['code'=>$code, 'data'=>json_decode($resp, true) ?: $resp];
}

switch ($action) {
    case 'test':
        $token = getAccessToken($SA, ['https://www.googleapis.com/auth/drive.readonly']);
        echo json_encode(['ok'=>!!$token, 'email'=>$SA['client_email'], 'project'=>$SA['project_id']]);
        break;
    case 'drive-list':
        $token = getAccessToken($SA, ['https://www.googleapis.com/auth/drive.readonly']);
        if (!$token) die(json_encode(['error'=>'no token']));
        $r = apiCall('https://www.googleapis.com/drive/v3/files?pageSize=10', $token);
        echo json_encode($r);
        break;
    case 'gmail-send':
        $to = $_POST['to'] ?? '';
        $subject = $_POST['subject'] ?? 'Test';
        $body_text = $_POST['body'] ?? 'Test from WEVAL';
        $token = getAccessToken($SA, ['https://www.googleapis.com/auth/gmail.send']);
        if (!$token) die(json_encode(['error'=>'no token']));
        $raw = base64url("To: $to\r\nSubject: $subject\r\nContent-Type: text/html\r\n\r\n$body_text");
        $r = apiCall('https://gmail.googleapis.com/gmail/v1/users/me/messages/send', $token, 'POST', ['raw'=>$raw]);
        echo json_encode($r);
        break;
    case 'calendar-list':
        $token = getAccessToken($SA, ['https://www.googleapis.com/auth/calendar.readonly']);
        if (!$token) die(json_encode(['error'=>'no token']));
        $r = apiCall('https://www.googleapis.com/calendar/v3/calendars/primary/events?maxResults=5&orderBy=startTime&singleEvents=true', $token);
        echo json_encode($r);
        break;
    default:
        echo json_encode(['error'=>'unknown action','available'=>['test','drive-list','gmail-send','calendar-list']]);
}