'use strict';

const express = require('express');
const router  = express.Router();
const { getDb, getSetting, setSetting } = require('../db/database');

// Keys a regular user is allowed to read and write.
// Admin/SMTP/backup/auth settings are excluded — they are only readable through
// their respective admin endpoints and never exposed here.
const USER_SETTING_KEYS = [
  'currency', 'date_format', 'grace_period_days', 'notify_days_before',
];

// GET /api/settings — returns only user-facing app preferences
router.get('/', (req, res) => {
  const db       = getDb();
  const settings = {};
  for (const key of USER_SETTING_KEYS) {
    const row = db.prepare('SELECT value FROM settings WHERE key = ?').get(key);
    if (row) settings[key] = row.value;
  }
  res.json(settings);
});

// PUT /api/settings — updates only allowed user-facing keys; silently ignores others
router.put('/', (req, res) => {
  for (const [key, value] of Object.entries(req.body)) {
    if (USER_SETTING_KEYS.includes(key)) setSetting(key, value);
  }

  const db       = getDb();
  const settings = {};
  for (const key of USER_SETTING_KEYS) {
    const row = db.prepare('SELECT value FROM settings WHERE key = ?').get(key);
    if (row) settings[key] = row.value;
  }
  res.json(settings);
});

module.exports = router;