jweb/ac1/src/api/purchase-product.php

<?php
session_start();
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {
    header('HTTP/1.1 403 Forbidden');
    echo json_encode(['success' => false, 'message' => 'Not authenticated']);
    exit;
}

// Include database configuration
require_once '../../db.php';

// Get user data from session
$user_id = $_SESSION['user_id'] ?? null;
$current_balance = $_SESSION['balance'];

if (!$user_id) {
    echo json_encode(['success' => false, 'message' => 'User not identified']);
    exit;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $product_id = filter_input(INPUT_POST, 'product_id', FILTER_SANITIZE_NUMBER_INT);
    
    try {
        // Start transaction
        $pdo->beginTransaction();
        
        // Get product details
        $stmt = $pdo->prepare("SELECT * FROM products WHERE id = ? AND is_active = TRUE");
        $stmt->execute([$product_id]);
        $product = $stmt->fetch(PDO::FETCH_ASSOC);
        
        if (!$product) {
            throw new Exception("Product not available.");
        }
        
        // Check if user has sufficient balance
        if ($current_balance < $product['price']) {
            throw new Exception("Insufficient balance to purchase this product. You need KES " . 
                               number_format($product['price'] - $current_balance, 2) . " more.");
        }
        
        // Deduct product price from user's balance
        $new_balance = $current_balance - $product['price'];
        $stmt = $pdo->prepare("UPDATE users SET balance = ? WHERE id = ?");
        $stmt->execute([$new_balance, $user_id]);
        
        // Record the transaction
        $stmt = $pdo->prepare("INSERT INTO transactions (user_id, type, amount, description, balance_after) VALUES (?, 'product_purchase', ?, ?, ?)");
        $stmt->execute([
            $user_id, 
            $product['price'], 
            "Purchased: " . $product['name'],
            $new_balance
        ]);
        
        // Add to user's products
        $stmt = $pdo->prepare("INSERT INTO user_products (user_id, product_id, purchase_price, cashback_received) VALUES (?, ?, ?, ?)");
        $stmt->execute([$user_id, $product_id, $product['price'], $product['cashback_amount']]);
        
        // If there's cashback, process it
        if ($product['cashback_amount'] > 0) {
            $cashback_balance = $new_balance + $product['cashback_amount'];
            $stmt = $pdo->prepare("UPDATE users SET balance = ?, rewards = rewards + ? WHERE id = ?");
            $stmt->execute([$cashback_balance, $product['cashback_amount'], $user_id]);
            
            // Record cashback transaction
            $stmt = $pdo->prepare("INSERT INTO transactions (user_id, type, amount, description, balance_after) VALUES (?, 'cashback', ?, ?, ?)");
            $stmt->execute([
                $user_id, 
                $product['cashback_amount'], 
                "Cashback for: " . $product['name'],
                $cashback_balance
            ]);
            
            $new_balance = $cashback_balance;
        }
        
        // Update user package if this is a package product
        if (stripos($product['name'], 'package') !== false || stripos($product['name'], 'bundle') !== false) {
            $stmt = $pdo->prepare("UPDATE users SET package = ? WHERE id = ?");
            $stmt->execute([$product['name'], $user_id]);
            
            // Update session data
            $_SESSION['package'] = $product['name'];
        }
        
        // Update session balance
        $_SESSION['balance'] = $new_balance;
        
        // Commit transaction
        $pdo->commit();
        
        // Return success response
        echo json_encode([
            'success' => true, 
            'message' => 'Product purchased successfully!',
            'new_balance' => $new_balance,
            'product_name' => $product['name'],
            'redirect_url' => 'package-' . strtolower(str_replace(' ', '-', $product['name'])) . '.php'
        ]);
        
    } catch (Exception $e) {
        $pdo->rollBack();
        echo json_encode(['success' => false, 'message' => $e->getMessage()]);
    }
    exit;
}
?>