html/api/postback.php

<?php
require_once __DIR__ . '/_secrets.php';
// SAFE: Only receives conversion data from affiliate networks
// Does NOT send any emails
header('Content-Type: application/json');
$db = new PDO('pgsql:host=10.1.0.3;port=5432;dbname=adx_system','admin',weval_secret('WEVAL_PG_ADMIN_PASS'));
$db->exec("SET search_path TO admin");

$action = $_GET['action'] ?? 'receive';

if ($action === 'receive') {
    // Receive postback from affiliate networks
    $offer_id = $_GET['offer_id'] ?? $_GET['oid'] ?? '';
    $payout = floatval($_GET['payout'] ?? $_GET['p'] ?? 0);
    $sub1 = $_GET['sub1'] ?? $_GET['s1'] ?? '';
    $sub2 = $_GET['sub2'] ?? $_GET['s2'] ?? '';
    $network = $_GET['network'] ?? $_GET['n'] ?? 'unknown';
    $tx = $_GET['tx'] ?? $_GET['transaction_id'] ?? uniqid('cv_');
    
    $st = $db->prepare("INSERT INTO campaign_profit (campaign_name, network, offer_id, conversions, revenue, cost, profit, roas, date) 
        VALUES (?, ?, ?, 1, ?, 0, ?, 0, CURRENT_DATE)
        ON CONFLICT (campaign_name, date) DO UPDATE SET 
            conversions = campaign_profit.conversions + 1,
            revenue = campaign_profit.revenue + EXCLUDED.revenue,
            profit = campaign_profit.profit + EXCLUDED.profit");
    $st->execute([$sub1 ?: 'postback_'.$network, $network, $offer_id, $payout, $payout]);
    
    echo json_encode(['ok' => 1, 'conversion' => $tx, 'payout' => $payout]);
} elseif ($action === 'stats') {
    $token = $_GET['token'] ?? '';
    if ($token !== 'WEVADS2026') die(json_encode(['error' => 'token']));
    $totals = $db->query("SELECT COALESCE(SUM(conversions),0) as conv, COALESCE(SUM(revenue),0) as rev, COALESCE(SUM(profit),0) as profit FROM campaign_profit")->fetch(PDO::FETCH_ASSOC);
    $daily = [];foreach($db->query("SELECT date, SUM(conversions) as conv, SUM(revenue) as rev FROM campaign_profit GROUP BY date ORDER BY date DESC LIMIT 30") as $r) $daily[] = $r;
    echo json_encode(['ok' => 1, 'totals' => $totals, 'daily' => $daily]);
}