<?php
/**
 * Security Helpers
 * File: inc/security.php
 *
 * Small, dependency-light helpers for nonces, sanitization/escaping,
 * and safe request accessors.
 *
 * @package BongotoWooCommerce
 */

if ( ! defined( 'ABSPATH' ) ) {
	exit;
}

/**
 * -------------------------------------------------------------------------
 * Constants
 * -------------------------------------------------------------------------
 */
if ( ! defined( 'BONGOTO_WOOCOMMERCE_NONCE_ACTION' ) ) {
	define( 'BONGOTO_WOOCOMMERCE_NONCE_ACTION', 'bongoto_woocommerce_nonce_action' );
}
if ( ! defined( 'BONGOTO_WOOCOMMERCE_NONCE_NAME' ) ) {
	define( 'BONGOTO_WOOCOMMERCE_NONCE_NAME', 'bongoto_woocommerce_nonce' );
}

/**
 * -------------------------------------------------------------------------
 * Nonce utilities
 * -------------------------------------------------------------------------
 */

/**
 * Output or return a nonce field for forms.
 *
 * @param string $action Optional custom action.
 * @param bool   $echo   Echo or return.
 * @return string|null
 */
function bongoto_woocommerce_nonce_field( $action = BONGOTO_WOOCOMMERCE_NONCE_ACTION, $echo = true ) {
	$field = wp_nonce_field( $action, BONGOTO_WOOCOMMERCE_NONCE_NAME, true, false );
	if ( $echo ) {
		echo $field; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
		return null;
	}
	return $field;
}

/**
 * Verify nonce from request (POST/GET).
 *
 * @param string $action Optional custom action.
 * @return bool
 */
function bongoto_woocommerce_verify_nonce( $action = BONGOTO_WOOCOMMERCE_NONCE_ACTION ) {
	$nonce = '';
	// phpcs:ignore WordPress.Security.NonceVerification.Recommended
	if ( isset( $_REQUEST[ BONGOTO_WOOCOMMERCE_NONCE_NAME ] ) ) {
		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
		$nonce = wp_unslash( $_REQUEST[ BONGOTO_WOOCOMMERCE_NONCE_NAME ] );
	}
	return (bool) wp_verify_nonce( $nonce, $action );
}

/**
 * Quick guard: capability + nonce.
 *
 * @param string $capability Default 'manage_options' for admin-only actions.
 * @param string $action     Nonce action.
 * @return bool
 */
function bongoto_woocommerce_guard( $capability = 'manage_options', $action = BONGOTO_WOOCOMMERCE_NONCE_ACTION ) {
	if ( ! current_user_can( $capability ) ) {
		return false;
	}
	return bongoto_woocommerce_verify_nonce( $action );
}

/**
 * -------------------------------------------------------------------------
 * Request accessors (sanitize on read)
 * -------------------------------------------------------------------------
 */

/**
 * Get a value from $_POST safely (string).
 *
 * @param string $key
 * @param string $default
 * @return string
 */
function bongoto_woocommerce_post_text( $key, $default = '' ) {
	// phpcs:ignore WordPress.Security.NonceVerification.Missing
	if ( ! isset( $_POST[ $key ] ) ) {
		return $default;
	}
	// phpcs:ignore WordPress.Security.NonceVerification.Missing
	return sanitize_text_field( wp_unslash( $_POST[ $key ] ) );
}

/**
 * Get a value from $_POST safely (bool-like).
 *
 * @param string $key
 * @param bool   $default
 * @return bool
 */
function bongoto_woocommerce_post_bool( $key, $default = false ) {
	// phpcs:ignore WordPress.Security.NonceVerification.Missing
	if ( ! isset( $_POST[ $key ] ) ) {
		return $default;
	}
	// phpcs:ignore WordPress.Security.NonceVerification.Missing
	return bongoto_woocommerce_is_truthy( wp_unslash( $_POST[ $key ] ) );
}

/**
 * Get a value from $_POST safely (URL).
 *
 * @param string $key
 * @param string $default
 * @return string
 */
function bongoto_woocommerce_post_url( $key, $default = '' ) {
	// phpcs:ignore WordPress.Security.NonceVerification.Missing
	if ( ! isset( $_POST[ $key ] ) ) {
		return $default;
	}
	// phpcs:ignore WordPress.Security.NonceVerification.Missing
	return esc_url_raw( wp_unslash( $_POST[ $key ] ) );
}

/**
 * Get array of integers from request.
 *
 * @param array|string $source  'get'|'post' or array.
 * @param string       $key     Key for get/post.
 * @return int[]
 */
function bongoto_woocommerce_request_absints( $source, $key = '' ) {
	$data = array();

	if ( is_array( $source ) ) {
		$data = $source;
	} elseif ( 'get' === $source && isset( $_GET[ $key ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
		$data = (array) wp_unslash( $_GET[ $key ] );
	} elseif ( 'post' === $source && isset( $_POST[ $key ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing
		// phpcs:ignore WordPress.Security.NonceVerification.Missing
		$data = (array) wp_unslash( $_POST[ $key ] );
	}

	return array_map( 'absint', $data );
}

/**
 * -------------------------------------------------------------------------
 * Sanitizers (for Customizer / Settings APIs)
 * -------------------------------------------------------------------------
 */

/**
 * Sanitize a boolean/checkbox.
 *
 * @param mixed $val
 * @return bool
 */
function bongoto_woocommerce_sanitize_checkbox( $val ) {
	return bongoto_woocommerce_is_truthy( $val );
}

/**
 * Sanitize a select/radio against allowed values.
 *
 * @param mixed $val
 * @param array $allowed
 * @param mixed $default
 * @return mixed
 */
function bongoto_woocommerce_sanitize_choice( $val, $allowed, $default ) {
	$val = is_scalar( $val ) ? (string) $val : '';
	return in_array( $val, array_map( 'strval', (array) $allowed ), true ) ? $val : $default;
}

/**
 * Sanitize integer with min/max clamp.
 *
 * @param mixed $val
 * @param int   $min
 * @param int   $max
 * @param int   $default
 * @return int
 */
function bongoto_woocommerce_sanitize_int_range( $val, $min, $max, $default ) {
	$val = absint( $val );
	if ( $val < $min || $val > $max ) {
		return $default;
	}
	return $val;
}

/**
 * Sanitize text (strip tags, keep basic punctuation).
 *
 * @param mixed $val
 * @return string
 */
function bongoto_woocommerce_sanitize_text( $val ) {
	return sanitize_text_field( (string) $val );
}

/**
 * Sanitize URL.
 *
 * @param mixed $val
 * @return string
 */
function bongoto_woocommerce_sanitize_url( $val ) {
	return esc_url_raw( (string) $val );
}

/**
 * Sanitize array of strings.
 *
 * @param mixed $val
 * @return array
 */
function bongoto_woocommerce_sanitize_text_array( $val ) {
	$val = (array) $val;
	return array_map( 'sanitize_text_field', wp_unslash( $val ) );
}

/**
 * -------------------------------------------------------------------------
 * Allowed HTML contexts for wp_kses()
 * -------------------------------------------------------------------------
 */

/**
 * Return allowed HTML tags/attrs for a given context.
 *
 * @param string $context 'basic'|'form'|'button'|'inline'
 * @return array
 */
function bongoto_woocommerce_allowed_html( $context = 'basic' ) {
	switch ( $context ) {
		case 'form':
			$allowed = array(
				'form'   => array(
					'action' => true,
					'method' => true,
					'class'  => true,
					'id'     => true,
				),
				'input'  => array(
					'type'        => true,
					'name'        => true,
					'value'       => true,
					'class'       => true,
					'id'          => true,
					'placeholder' => true,
					'checked'     => true,
					'selected'    => true,
				),
				'button' => array(
					'type'  => true,
					'class' => true,
					'id'    => true,
				),
				'label'  => array(
					'for'   => true,
					'class' => true,
				),
				'select' => array(
					'name'  => true,
					'class' => true,
					'id'    => true,
				),
				'option' => array(
					'value'    => true,
					'selected' => true,
				),
				'small'  => array( 'class' => true ),
				'span'   => array( 'class' => true ),
			);
			break;

		case 'button':
			$allowed = array(
				'a'      => array(
					'href'       => true,
					'class'      => true,
					'id'         => true,
					'aria-label' => true,
					'rel'        => true,
					'target'     => true,
				),
				'button' => array(
					'type'  => true,
					'class' => true,
					'id'    => true,
				),
				'span'   => array( 'class' => true ),
				'svg'    => array(
					'class'       => true,
					'width'       => true,
					'height'      => true,
					'viewBox'     => true,
					'aria-hidden' => true,
					'focusable'   => true,
					'role'        => true,
				),
				'path'   => array(
					'd'              => true,
					'fill'           => true,
					'stroke'         => true,
					'stroke-width'   => true,
					'stroke-linecap' => true,
					'stroke-linejoin'=> true,
				),
				'circle' => array(
					'cx'   => true,
					'cy'   => true,
					'r'    => true,
					'fill' => true,
				),
			);
			break;

		case 'inline':
			$allowed = array(
				'span'   => array( 'class' => true ),
				'strong' => array(),
				'em'     => array(),
				'code'   => array(),
				'br'     => array(),
			);
			break;

		case 'basic':
		default:
			$allowed = array(
				'a'      => array(
					'href'   => true,
					'title'  => true,
					'rel'    => true,
					'target' => true,
				),
				'br'     => array(),
				'em'     => array(),
				'strong' => array(),
				'p'      => array( 'class' => true ),
				'ul'     => array( 'class' => true ),
				'ol'     => array( 'class' => true ),
				'li'     => array( 'class' => true ),
			);
			break;
	}
	return $allowed;
}

/**
 * -------------------------------------------------------------------------
 * Escape shortcuts (for echoing)
 * -------------------------------------------------------------------------
 */

/**
 * Echo safe HTML (limited by context).
 *
 * @param string $html
 * @param string $context
 * @return void
 */
function bongoto_woocommerce_echo_kses( $html, $context = 'basic' ) {
	echo wp_kses( $html, bongoto_woocommerce_allowed_html( $context ) ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
}

/**
 * Echo safe attribute value.
 *
 * @param string $text
 * @return void
 */
function bongoto_woocommerce_attr( $text ) {
	echo esc_attr( $text ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
}

/**
 * -------------------------------------------------------------------------
 * Misc small helpers
 * -------------------------------------------------------------------------
 */

/**
 * Loose truthy detection for form values.
 *
 * @param mixed $val
 * @return bool
 */
function bongoto_woocommerce_is_truthy( $val ) {
	if ( is_bool( $val ) ) {
		return $val;
	}
	$val = is_string( $val ) ? strtolower( trim( $val ) ) : $val;
	return in_array( $val, array( 1, '1', 'true', 'yes', 'on', 'checked' ), true );
}

/**
 * Safe remote request wrapper (GET/POST) with sane defaults.
 *
 * @param string $url
 * @param array  $args
 * @param string $method 'GET'|'POST'
 * @return array|WP_Error
 */
function bongoto_woocommerce_remote_request( $url, $args = array(), $method = 'GET' ) {
	$defaults = array(
		'timeout'   => 15,
		'sslverify' => true,
		'headers'   => array( 'Accept' => 'application/json' ),
	);
	$args = wp_parse_args( $args, $defaults );

	if ( 'POST' === strtoupper( $method ) ) {
		return wp_remote_post( esc_url_raw( $url ), $args );
	}
	return wp_remote_get( esc_url_raw( $url ), $args );
}