<?php

declare(strict_types=1);

require_once __DIR__ . '/_bootstrap.php'; // $pdo, $iduserlogin

try {
    $method = strtoupper($_SERVER['REQUEST_METHOD'] ?? 'GET');

    $cert_id = 0;
    if ($method === 'DELETE') {
        $cert_id = isset($_GET['id']) ? (int)$_GET['id'] : 0;
    } else {
        // POST fallback
        $cert_id = isset($_POST['cert_id']) ? (int)$_POST['cert_id'] : (isset($_GET['id']) ? (int)$_GET['id'] : 0);
    }

    if ($cert_id <= 0) {
        http_response_code(422);
        echo json_encode(['success' => false, 'message' => 'Missing certificate id (id or cert_id).']);
        exit;
    }

    // Get cert and ensure ownership
    $stmt = $pdo->prepare("
        SELECT id, stored_path
        FROM user_medical_certificates
        WHERE id = ? AND user_id = ?
        LIMIT 1
    ");
    $stmt->execute([$cert_id, $iduserlogin]);
    $cert = $stmt->fetch(PDO::FETCH_ASSOC);

    if (!$cert) {
        http_response_code(404);
        echo json_encode(['success' => false, 'message' => 'Certificate not found.']);
        exit;
    }

    // stored_path like: userarea/certificate/xxx
    $stored = (string)$cert['stored_path'];
    $publicRoot = realpath(__DIR__ . '/../../'); // points to /public
    $fullPath = $publicRoot . DIRECTORY_SEPARATOR . str_replace(['/', '\\'], DIRECTORY_SEPARATOR, ltrim($stored, '/\\'));

    if (is_file($fullPath)) {
        @unlink($fullPath);
    }

    $del = $pdo->prepare("DELETE FROM user_medical_certificates WHERE id = ? AND user_id = ?");
    $del->execute([$cert_id, $iduserlogin]);

    echo json_encode(['success' => true, 'deleted_id' => $cert_id], JSON_UNESCAPED_UNICODE);
} catch (Throwable $e) {
    http_response_code(500);
    echo json_encode(['success' => false, 'message' => 'Server error.', 'error' => $e->getMessage()]);
}