<?php
header('Content-Type: application/json');

$signed_request = $_POST['signed_request'] ?? '';

$data = parse_signed_request($signed_request);

if (!$data || !isset($data['user_id'])) {
  http_response_code(400);
  echo json_encode(['error' => 'Invalid signed request.']);
  exit;
}

$user_id = $data['user_id'];

// Simulate deletion tracking
$confirmation_code = 'abc123';
$status_url = "https://geminor.cloud/deletion.html?id=$confirmation_code";

$response = [
  'url' => $status_url,
  'confirmation_code' => $confirmation_code
];

echo json_encode($response);

// === Helper Functions ===

function parse_signed_request($signed_request) {
  list($encoded_sig, $payload) = explode('.', $signed_request, 2);

  $secret = '77b0c211a386cb26ed91975a3e1e220b'; // Move to env/config in production

  // decode data
  $sig = base64_url_decode($encoded_sig);
  $data = json_decode(base64_url_decode($payload), true);

  // verify signature
  $expected_sig = hash_hmac('sha256', $payload, $secret, true);
  if ($sig !== $expected_sig) {
    error_log('Bad Signed JSON signature!');
    return null;
  }

  return $data;
}

function base64_url_decode($input) {
  return base64_decode(strtr($input, '-_', '+/'));
}
?>