<?php
// contact.php
declare(strict_types=1);

session_start();

// ====== CONFIG ======
$siteName   = 'Durham City Studios';
$toEmail    = 'info@durhamcitystudios.com';  // <-- CHANGE THIS
$fromEmail  = 'bt@durhamcitystudios.com'; // <-- ideally an address on YOUR domain
$subjectTag = '[Website Contact]';

// ====== HELPERS ======
function h(string $s): string { return htmlspecialchars($s, ENT_QUOTES, 'UTF-8'); }

function clean_line(string $s): string {
  // Remove CR/LF to prevent header injection
  $s = str_replace(["\r", "\n"], ' ', $s);
  return trim($s);
}

function post_string(string $key, int $maxLen = 2000): string {
  $v = $_POST[$key] ?? '';
  if (!is_string($v)) return '';
  $v = trim($v);
  if (mb_strlen($v) > $maxLen) $v = mb_substr($v, 0, $maxLen);
  return $v;
}

// ====== CSRF TOKEN ======
if (empty($_SESSION['csrf_token'])) {
  $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

// ====== STATE ======
$errors  = [];
$success = false;

$name    = '';
$email   = '';
$phone   = '';
$subject = '';
$message = '';

// ====== HANDLE POST ======
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
  // Rate limit (simple)
  $now = time();
  $last = $_SESSION['last_submit_ts'] ?? 0;
  if (is_int($last) && ($now - $last) < 30) {
    $errors[] = 'Please wait 30 seconds before sending another message.';
  }

  // CSRF check
  $csrf = $_POST['csrf_token'] ?? '';
  if (!is_string($csrf) || !hash_equals($_SESSION['csrf_token'], $csrf)) {
    $errors[] = 'Security check failed. Please refresh the page and try again.';
  }

  // Honeypot check
  $honeypot = $_POST['website'] ?? '';
  if (is_string($honeypot) && trim($honeypot) !== '') {
    // Pretend success (don’t tell bots they were caught)
    $success = true;
  }

  // Pull fields (even if honeypot tripped; keeps response consistent)
  $name    = post_string('name', 120);
  $email   = post_string('email', 254);
  $phone   = post_string('phone', 40);
  $subject = post_string('subject', 120);
  $message = post_string('message', 5000);

  // Validate only if honeypot NOT tripped
  if (!$success) {
    if ($name === '') $errors[] = 'Name is required.';
    if ($email === '') $errors[] = 'Email is required.';
    if ($message === '') $errors[] = 'Message is required.';

    if ($email !== '' && !filter_var($email, FILTER_VALIDATE_EMAIL)) {
      $errors[] = 'Please enter a valid email address.';
    }

    // Basic phone clean (optional)
    if ($phone !== '') {
      $phone = preg_replace('/[^\d\+\-\s\(\)]/', '', $phone) ?? '';
      $phone = trim($phone);
    }

    // Normalise message newlines
    $message = preg_replace("/\r\n|\r/", "\n", $message) ?? $message;

    // Build email
    if (!$errors) {
      $safeName    = clean_line($name);
      $safeEmail   = clean_line($email);
      $safeSubject = clean_line($subject);

      $finalSubject = $subjectTag . ' ' . ($safeSubject !== '' ? $safeSubject : 'New message');

      $bodyLines = [
        "New contact form submission from {$siteName}",
        "",
        "Name: {$safeName}",
        "Email: {$safeEmail}",
        "Phone: " . ($phone !== '' ? $phone : '—'),
        "Subject: " . ($safeSubject !== '' ? $safeSubject : '—'),
        "",
        "Message:",
        $message,
        "",
        "IP: " . ($_SERVER['REMOTE_ADDR'] ?? 'unknown'),
        "Time: " . date('c'),
      ];
      $body = implode("\n", $bodyLines);

      // Headers: From should be YOUR domain; Reply-To can be the user
      $headers = [];
      $headers[] = "MIME-Version: 1.0";
      $headers[] = "Content-Type: text/plain; charset=UTF-8";
      $headers[] = "From: {$siteName} <{$fromEmail}>";
      $headers[] = "Reply-To: {$safeName} <{$safeEmail}>";
      $headers[] = "X-Content-Type-Options: nosniff";

      $ok = @mail($toEmail, $finalSubject, $body, implode("\r\n", $headers));

      if ($ok) {
        $success = true;
        $_SESSION['last_submit_ts'] = $now;

        // Optional: rotate CSRF token after successful submit
        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));

        // Clear form fields after success
        $name = $email = $phone = $subject = $message = '';
      } else {
        $errors[] = 'Message could not be sent (server mail is not configured).';
      }
    }
  }
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Contact Us - Durham City Studios</title>
  <link href="https://cdn.jsdelivr.net/npm/tailwindcss@2.2.19/dist/tailwind.min.css" rel="stylesheet">
  <link href="https://fonts.googleapis.com/css2?family=Raleway:wght@400;700&display=swap" rel="stylesheet">
  <style>body{font-family:'Raleway',sans-serif;}</style>
</head>

<body class="bg-blue-600 dark:bg-gray-900 text-gray-800 dark:text-gray-100 transition-colors duration-500">
  <header class="bg-black text-white p-4 shadow-md">
    <div class="flex flex-col md:flex-row items-center justify-between md:justify-center space-y-4 md:space-y-0 md:space-x-8">
      <h1 class="text-xl font-bold text-center">Durham City Studios</h1>
      <nav class="flex flex-wrap justify-center md:justify-start space-x-4" aria-label="Main Navigation">
        <a href="index.html" class="block px-2 py-1 hover:bg-white hover:text-black rounded transition">Home</a>
        <a href="framing.html" class="block px-2 py-1 hover:bg-white hover:text-black rounded transition">Picture Framing</a>
        <a href="printing.html" class="block px-2 py-1 hover:bg-white hover:text-black rounded transition">Printing</a>
        <a href="passports.html" class="block px-2 py-1 hover:bg-white hover:text-black rounded transition">Passport & Visa Photos</a>
        <a href="contact.php" class="block px-2 py-1 bg-white text-black rounded transition">Contact Us</a>
      </nav>
    </div>
  </header>

  <main class="max-w-xl mx-auto mt-10 bg-white p-8 rounded-lg shadow-md dark:bg-gray-800">
    <h2 class="text-3xl font-bold mb-6 text-center">Contact Us</h2>

    <?php if ($success): ?>
      <div class="mb-6 p-4 rounded-lg bg-green-100 text-green-800">
        Thanks — your message has been sent.
      </div>
    <?php endif; ?>

    <?php if ($errors): ?>
      <div class="mb-6 p-4 rounded-lg bg-red-100 text-red-800">
        <p class="font-semibold mb-2">Please fix the following:</p>
        <ul class="list-disc pl-5 space-y-1">
          <?php foreach ($errors as $e): ?>
            <li><?= h($e) ?></li>
          <?php endforeach; ?>
        </ul>
      </div>
    <?php endif; ?>

    <form action="contact.php" method="post" class="space-y-5" novalidate>
      <!-- CSRF -->
      <input type="hidden" name="csrf_token" value="<?= h($_SESSION['csrf_token']) ?>">

      <!-- Honeypot (spam trap) -->
      <div class="hidden" aria-hidden="true">
        <label for="website">Website</label>
        <input type="text" name="website" id="website" tabindex="-1" autocomplete="off">
      </div>

      <div>
        <label for="name" class="block mb-1 font-semibold">Name*</label>
        <input type="text" name="name" id="name" required aria-required="true"
          value="<?= h($name) ?>"
          class="w-full p-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 dark:bg-gray-700 dark:border-gray-600">
      </div>

      <div>
        <label for="email" class="block mb-1 font-semibold">Email*</label>
        <input type="email" name="email" id="email" required aria-required="true"
          value="<?= h($email) ?>"
          class="w-full p-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 dark:bg-gray-700 dark:border-gray-600">
      </div>

      <div>
        <label for="phone" class="block mb-1 font-semibold">Phone</label>
        <input type="tel" name="phone" id="phone"
          value="<?= h($phone) ?>"
          class="w-full p-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 dark:bg-gray-700 dark:border-gray-600">
      </div>

      <div>
        <label for="subject" class="block mb-1 font-semibold">Subject</label>
        <input type="text" name="subject" id="subject"
          value="<?= h($subject) ?>"
          class="w-full p-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 dark:bg-gray-700 dark:border-gray-600">
      </div>

      <div>
        <label for="message" class="block mb-1 font-semibold">Message*</label>
        <textarea name="message" id="message" required aria-required="true"
          class="w-full p-3 border border-gray-300 rounded-lg h-32 resize-vertical focus:ring-2 focus:ring-blue-500 dark:bg-gray-700 dark:border-gray-600"><?= h($message) ?></textarea>
      </div>

      <button type="submit"
        class="w-full bg-blue-600 hover:bg-blue-700 text-white font-bold py-3 px-6 rounded-lg shadow-md transition duration-200">
        Send Message
      </button>
    </form>
  </main>

  <div class="max-w-xl mx-auto mt-8 text-center pb-10">
    <a href="https://www.durhamcitystudios.com" class="text-white hover:underline">
      Back to main site
    </a>
  </div>
</body>
</html>