<?php

declare(strict_types=1);

require_once __DIR__ . '/_bootstrap.php'; // $pdo, $iduserlogin

try {
    if (strtoupper($_SERVER['REQUEST_METHOD'] ?? '') !== 'POST') {
        http_response_code(405);
        echo json_encode(['success' => false, 'message' => 'Method not allowed. Use POST.']);
        exit;
    }

    $user_id = (int)$iduserlogin;

    $raw = file_get_contents('php://input');
    $data = json_decode($raw ?: '', true);
    if (!is_array($data)) $data = $_POST;

    // Whitelist fields you allow to be updated
    $allowed = [
        'notify_email',
        'notify_whatsapp',
        'notify_push',
        'notify_booking_confirm',
        'notify_booking_cancel',
        'notify_session_cancel',
        'notify_payment_receipt',
        'notify_expiration_reminder',
        'newsletter_opt_in',
        'marketing_opt_in',
        'locale',
        'timezone',
    ];

    $updates = [];
    $params = [];

    foreach ($allowed as $field) {
        if (array_key_exists($field, $data)) {
            $val = $data[$field];

            // Normalize booleans/numbers for tinyint fields
            if (is_bool($val)) $val = $val ? 1 : 0;

            $updates[] = "{$field} = ?";
            $params[] = $val;
        }
    }

    if (empty($updates)) {
        http_response_code(422);
        echo json_encode(['success' => false, 'message' => 'No valid fields to update.']);
        exit;
    }

    // Ensure row exists
    $pdo->prepare("INSERT IGNORE INTO user_settings (user_id) VALUES (?)")->execute([$user_id]);

    $params[] = $user_id;

    $sql = "UPDATE user_settings SET " . implode(', ', $updates) . " WHERE user_id = ?";
    $stmt = $pdo->prepare($sql);
    $stmt->execute($params);

    echo json_encode(['success' => true]);
} catch (Throwable $e) {
    http_response_code(500);
    echo json_encode(['success' => false, 'message' => 'Server error.', 'error' => $e->getMessage()]);
}