<?php
ob_start();
require_once __DIR__ . '/../core/db.php';
require_once __DIR__ . '/../core/auth.php';
require_once __DIR__ . '/../core/response.php';

cors();
header('Content-Type: application/json');

$username = trim($_POST['username'] ?? $_GET['username'] ?? '');
$password = trim($_POST['password'] ?? $_GET['password'] ?? '');

if (!$username || !$password) json_err('Username and password required');

try {
    $db = DB::get();
    $user = $db->selectOne(
        "SELECT * FROM proart_accounting_users WHERE username = ? AND password = SHA2(?, 256) LIMIT 1",
        'ss', $username, $password
    );

    if (!$user) {
        // Also try MD5 for legacy passwords
        $user = $db->selectOne(
            "SELECT * FROM proart_accounting_users WHERE username = ? AND password = MD5(?) LIMIT 1",
            'ss', $username, $password
        );
    }

    if (!$user) {
        // Legacy plain text fallback (migration)
        $user = $db->selectOne(
            "SELECT * FROM proart_accounting_users WHERE username = ? AND password = ? LIMIT 1",
            'ss', $username, $password
        );
    }

    if (!$user) json_err('Invalid username or password', 401);

    $token = Auth::createToken((int)$user['record_id']);
    Auth::log((int)$user['record_id'], 'LOGIN', 'proart_accounting_users', (int)$user['record_id']);

    json_ok([
        'token'    => $token,
        'user_id'  => $user['record_id'],
        'username' => $user['username'],
        'email'    => $user['email'],
        'rights'   => $user['rights'],
    ], 'Login successful');

} catch (Exception $e) {
    json_err('Server error: ' . $e->getMessage(), 500);
}