// booking_proxy.php - Simple proxy to serve the booking page through same origin
// Purpose: bypass X-Frame-Options / CSP frame-ancestors on the upstream by serving content from our domain.

// Target URL (main booking page)
$base = 'https://booking.georgiantransfer.com/templatica_template/booking/';
$path = isset($_GET['path']) ? ltrim($_GET['path'], '/') : '';
$targetUrl = rtrim($base, '/') . '/' . $path;

function fetch_remote($url){
    $ch = curl_init($url);
    curl_setopt_array($ch, [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_CONNECTTIMEOUT => 10,
        CURLOPT_TIMEOUT => 20,
        CURLOPT_SSL_VERIFYPEER => true,
        CURLOPT_SSL_VERIFYHOST => 2,
        CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36',
        CURLOPT_HTTPHEADER => [
            'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language: en-US,en;q=0.9'
        ],
    ]);
    $body = curl_exec($ch);
    $err = curl_error($ch);
    $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    return [$body, $code, $err];
}

list($html, $status, $err) = fetch_remote($targetUrl);
if ($html === false || $status >= 400) {
    http_response_code(502);
    header('Content-Type: text/html; charset=utf-8');
    echo '<!doctype html><html lang="en" dir="ltr"><head><meta charset="utf-8"><title>Booking Unavailable</title></head><body>';
    echo '<p style="font-family:system-ui,Segoe UI,Roboto,Arial;">Booking service temporarily unavailable. Please <a href="'.htmlspecialchars($targetUrl).'" target="_blank" rel="noopener">open in a new tab</a>.</p>';
    if ($err) echo '<small style="color:#888">Error: '.htmlspecialchars($err).'</small>';
    echo '</body></html>';
    exit;
}

// Ensure base tag so that relative resources resolve to the booking host
$baseHref = $base;
$hasHead = stripos($html, '<head') !== false;
if ($hasHead) {
    // Inject <base> right after <head>
    $html = preg_replace(
        '/<head(\s[^>]*)?>/i',
        '<head$1><base href="'.$baseHref.'">',
        $html,
        1
    );
} else {
    // Fallback: prepend base at start
    $html = '<base href="'.$baseHref.'">'.$html;
}

// Remove CSP meta tags that could still restrict framing
$html = preg_replace('/<meta\s+http-equiv=["\']Content-Security-Policy["\'][^>]*>/i', '', $html);

// Do not forward upstream security headers that would prevent framing. We only set content-type.
header('Content-Type: text/html; charset=utf-8');
echo $html;