From ed7dfe7795ea13fd1bcbf20528282915af1fcd77 Mon Sep 17 00:00:00 2001
From: igor <mino@tpsoft.org>
Date: Fri, 12 Jun 2026 16:11:21 +0200
Subject: [PATCH] implemented step 03 by Gemini

---
 public/ajax.php | 69 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 public/ajax.php

diff --git a/public/ajax.php b/public/ajax.php
new file mode 100644
index 0000000..5a31b39
--- /dev/null
+++ b/public/ajax.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+require_once __DIR__ . '/../vendor/autoload.php';
+
+// Set headers
+header('Content-Type: application/json; charset=utf-8');
+
+// Error handling
+set_error_handler(function ($errno, $errstr, $errfile, $errline) {
+	throw new ErrorException($errstr, 0, $errno, $errfile, $errline);
+});
+
+function sendResponse(bool $success, $dataOrError, int $httpStatus = 200): void {
+	http_response_code($httpStatus);
+	$response = ['success' => $success];
+	if ($success) {
+		$response['data'] = $dataOrError;
+	} else {
+		$response['error'] = $dataOrError;
+	}
+	echo json_encode($response, JSON_UNESCAPED_UNICODE | JSON_THROW_ON_ERROR);
+	exit;
+}
+
+try {
+	// Only POST allowed
+	if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+		sendResponse(false, ['code' => 'METHOD_NOT_ALLOWED', 'message' => 'Only POST requests are allowed.'], 405);
+	}
+
+	// Read JSON input
+	$input = file_get_contents('php://input');
+	$data = json_decode($input, true);
+
+	if (json_last_error() !== JSON_ERROR_NONE) {
+		sendResponse(false, ['code' => 'INVALID_JSON', 'message' => 'Invalid JSON input.'], 400);
+	}
+
+	// Validate action
+	$action = $data['action'] ?? null;
+	if (!$action) {
+		sendResponse(false, ['code' => 'MISSING_ACTION', 'message' => 'Action is required.'], 400);
+	}
+
+	// Check X-User-ID header (except for initSession if we want to allow it)
+	$userId = $_SERVER['HTTP_X_USER_ID'] ?? null;
+	if (!$userId && $action !== 'initSession') {
+		sendResponse(false, ['code' => 'UNAUTHORIZED', 'message' => 'X-User-ID header is missing.'], 401);
+	}
+
+	// Router
+	switch ($action) {
+		case 'ping':
+			sendResponse(true, ['message' => 'pong', 'timestamp' => time()]);
+			break;
+
+		default:
+			sendResponse(false, ['code' => 'UNKNOWN_ACTION', 'message' => "Action '$action' is not defined."], 404);
+			break;
+	}
+
+} catch (Throwable $e) {
+	sendResponse(false, [
+		'code' => 'INTERNAL_SERVER_ERROR',
+		'message' => $e->getMessage()
+	], 500);
+}