<?php
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, X-API-Key');
header('Content-Type: application/json');
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { http_response_code(200); exit(); }

require_once 'config.php';

$input = json_decode(file_get_contents('php://input'), true) ?? [];
$token = $input['token'] ?? '';
$action = $input['action'] ?? '';

$db = getDB();
$t = $db->real_escape_string($token);
$sesi = $db->query("SELECT * FROM sesi WHERE token='$t' AND expired_at > NOW()")->fetch_assoc();
if (!$sesi) jsonResponse(['status' => 'error', 'msg' => 'Sesi tidak valid']);

$kode = $db->real_escape_string($sesi['kode_reseller']);

switch ($action) {
    case 'list':
        $rows = $db->query("SELECT * FROM inbox WHERE kode_reseller='$kode' ORDER BY created_at DESC LIMIT 100");
        $data = [];
        while ($r = $rows->fetch_assoc()) $data[] = $r;
        $belum = $db->query("SELECT COUNT(*) as n FROM inbox WHERE kode_reseller='$kode' AND dibaca=0")->fetch_assoc()['n'];
        jsonResponse(['status' => 'sukses', 'data' => $data, 'belum_dibaca' => $belum]);
        break;

    case 'baca':
        $id = intval($input['id'] ?? 0);
        if ($id > 0) {
            $db->query("UPDATE inbox SET dibaca=1 WHERE id=$id AND kode_reseller='$kode'");
        } else {
            $db->query("UPDATE inbox SET dibaca=1 WHERE kode_reseller='$kode'");
        }
        jsonResponse(['status' => 'sukses']);
        break;

    case 'hapus':
        $id = intval($input['id'] ?? 0);
        if ($id > 0) $db->query("DELETE FROM inbox WHERE id=$id AND kode_reseller='$kode'");
        jsonResponse(['status' => 'sukses']);
        break;

    default:
        jsonResponse(['status' => 'error', 'msg' => 'Action tidak valid']);
}