<?php
// === office-db-proxy.php ===
// Proxies DB queries from S88 secure admin panel
// Only accessible from S88 (IP checked)
header('Content-Type: application/json');

$allowed = ['95.216.167.89','204.168.152.13','10.1.0.2','127.0.0.1','89.167.40.150'];
$ip = $_SERVER['REMOTE_ADDR'] ?? '';
if (!in_array($ip, $allowed)) {
    http_response_code(403);
    echo json_encode(['error'=>'forbidden','ip'=>$ip]);
    exit;
}

$token = $_POST['token'] ?? '';
if ($token !== 'wev-s88-proxy-2026!') {
    http_response_code(401);
    echo json_encode(['error'=>'bad token']);
    exit;
}

$action = $_POST['action'] ?? '';
$pdo = new PDO('pgsql:host=10.1.0.3;port=5432;dbname=adx_system','admin','admin123');

if ($action === 'stats') {
    $r = [];
    $r['total'] = $pdo->query("SELECT count(*) FROM admin.office_accounts")->fetchColumn();
    $r['active'] = $pdo->query("SELECT count(*) FROM admin.office_accounts WHERE status IN ('Active','active','warming')")->fetchColumn();
    $r['no_mfa'] = $pdo->query("SELECT count(*) FROM admin.office_accounts WHERE (has_mfa=false OR has_mfa IS NULL) AND status IN ('Active','active','warming')")->fetchColumn();
    $r['compromised'] = $pdo->query("SELECT count(*) FROM admin.office_accounts WHERE notes LIKE '%TARGETED%' OR notes LIKE '%COMPROMISED%'")->fetchColumn();
    echo json_encode($r);
    exit;
}

if ($action === 'list') {
    $search = $_POST['q'] ?? '';
    $filter = $_POST['f'] ?? 'all';
    $page = max(1, intval($_POST['p'] ?? 1));
    $pp = 25;
    $off = ($page-1)*$pp;
    $w = '1=1';
    if ($search) $w .= " AND (admin_email ILIKE ".$pdo->quote("%$search%")." OR notes ILIKE ".$pdo->quote("%$search%").")";
    if ($filter==='no_mfa') $w .= " AND (has_mfa=false OR has_mfa IS NULL)";
    if ($filter==='targeted') $w .= " AND (notes LIKE '%TARGETED%' OR notes LIKE '%COMPROMISED%')";
    if ($filter==='active') $w .= " AND status IN ('Active','active','warming')";
    if ($filter==='mbman') $w .= " AND admin_email LIKE '%mbman%'";
    $total = $pdo->query("SELECT count(*) FROM admin.office_accounts WHERE $w")->fetchColumn();
    $rows = $pdo->query("SELECT id,admin_email,admin_password,source,status,has_mfa,mfa_status,blocked_status,current_step,tenant_id,app_id,notes,last_update FROM admin.office_accounts WHERE $w ORDER BY last_update DESC NULLS LAST LIMIT $pp OFFSET $off")->fetchAll(PDO::FETCH_ASSOC);
    echo json_encode(['rows'=>$rows,'total'=>$total,'pages'=>ceil($total/$pp)]);
    exit;
}

if ($action === 'decrypt') {
    $id = intval($_POST['id'] ?? 0);
    if ($id > 0) {
        require_once __DIR__.'/office-pwd-crypto.php';
        $row = $pdo->query("SELECT admin_password FROM admin.office_accounts WHERE id=$id")->fetch();
        if ($row) {
            echo json_encode(['pwd'=>officeDecrypt($row['admin_password'])]);
            exit;
        }
    }
    echo json_encode(['error'=>'not found']);
    exit;
}

echo json_encode(['error'=>'unknown action']);