<?php
require_once 'includes/db.php';
require_once 'includes/auth.php';
checkAuth();

header('Content-Type: application/json');
$data = json_decode(file_get_contents('php://input'), true);

if (!$data || empty(trim($data['product_name']))) {
    die(json_encode(['success' => false, 'error' => 'Nazwa produktu jest wymagana!']));
}

if (!isValidCsrfToken($data['csrf_token'] ?? null)) {
    http_response_code(403);
    die(json_encode(['success' => false, 'error' => 'Nieprawidłowy token bezpieczeństwa']));
}

try {
    $pdo->beginTransaction();

    $stmt = $pdo->prepare("INSERT INTO " . DB_PREFIX . "orders (product_name, quantity, purchase_place, price_per_unit, status) VALUES (?, ?, ?, ?, 'nowe')");

    $price = (float)str_replace(',', '.', $data['price_per_unit'] ?? 0);
    $qty = (int)($data['quantity'] ?? 1);

    $stmt->execute([
        trim($data['product_name']),
        $qty,
        trim($data['purchase_place'] ?? ''),
        $price
    ]);

    $new_id = $pdo->lastInsertId();

    $hist = $pdo->prepare("INSERT INTO " . DB_PREFIX . "order_history (order_id, user_id, action) VALUES (?, ?, ?)");
    $hist->execute([$new_id, $_SESSION['user_id'], "Utworzono zamówienie (szybkie dodawanie na liście)."]);

    $pdo->commit();
    echo json_encode(['success' => true]);
} catch (PDOException $e) {
    $pdo->rollBack();
    error_log($e->getMessage());
    echo json_encode(['success' => false, 'error' => 'Wystapil blad serwera']);
}
?>