breedr/server/routes/settings.js

const express = require('express');
const router  = express.Router();
const { getDatabase } = require('../db/init');

// Allowed columns — whitelist prevents arbitrary SQL column injection
const ALLOWED_KEYS = [
  'kennel_name',
  'kennel_tagline',
  'kennel_address',
  'kennel_phone',
  'kennel_email',
  'kennel_website',
  'kennel_akc_id',
  'kennel_breed',
  'owner_name',
];

// GET /api/settings
router.get('/', (req, res) => {
  try {
    const db  = getDatabase();
    // Always returns exactly one row (seeded in init.js)
    const row = db.prepare(`SELECT ${ALLOWED_KEYS.join(', ')} FROM settings LIMIT 1`).get();
    res.json(row || {});
  } catch (error) {
    console.error('Error fetching settings:', error);
    res.status(500).json({ error: error.message });
  }
});

// PUT /api/settings
router.put('/', (req, res) => {
  try {
    const db      = getDatabase();
    const updates = req.body || {};

    // Build SET clause only for allowed keys that were sent
    const fields = Object.keys(updates).filter(k => ALLOWED_KEYS.includes(k));

    if (fields.length === 0) {
      return res.status(400).json({ error: 'No valid settings fields provided' });
    }

    const setClause = fields.map(f => `${f} = ?`).join(', ');
    const values    = fields.map(f => updates[f] == null ? null : String(updates[f]));

    // Ensure a row exists, then update it
    const existing = db.prepare('SELECT id FROM settings LIMIT 1').get();
    if (!existing) {
      db.prepare(`INSERT INTO settings (kennel_name) VALUES ('BREEDR')`).run();
    }

    db.prepare(`UPDATE settings SET ${setClause}, updated_at = datetime('now') WHERE id = (SELECT id FROM settings LIMIT 1)`)
      .run(...values);

    const row = db.prepare(`SELECT ${ALLOWED_KEYS.join(', ')} FROM settings LIMIT 1`).get();
    res.json(row || {});
  } catch (error) {
    console.error('Error saving settings:', error);
    res.status(500).json({ error: error.message });
  }
});

module.exports = router;