<?php
require_once __DIR__ . '/../config/auth.php';

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    json_error('POST required', 405);
}

$username = trim($_POST['username'] ?? '');
$password = trim($_POST['password'] ?? '');

if (empty($username) || empty($password)) {
    json_error('Username and password required');
}

// Look up user (password stored as SHA-256 hex)
$stmt = db()->prepare(
    'SELECT u.*, ut.user_type_name
     FROM safesure_users u
     LEFT JOIN user_type ut ON ut.record_id = u.user_type_id
     WHERE u.safesure_users_name = ? LIMIT 1'
);
$stmt->execute([$username]);
$user = $stmt->fetch();

if (!$user) {
    json_error('Invalid credentials', 401);
}

$hash = hash('sha256', $password);
if (!hash_equals($user['password'], $hash)) {
    json_error('Invalid credentials', 401);
}

// Generate a secure token
$token = bin2hex(random_bytes(32)); // 64-char hex
$expires = date('Y-m-d H:i:s', strtotime('+8 hours'));

// Invalidate old tokens for this user (optional: keep multiple sessions)
db()->prepare('DELETE FROM api_tokens WHERE safesure_users_id = ?')
    ->execute([$user['record_id']]);

// Insert new token
db()->prepare(
    'INSERT INTO api_tokens (token, safesure_users_id, created_at, expires_at)
     VALUES (?, ?, NOW(), ?)'
)->execute([$token, $user['record_id'], $expires]);

json_success([
    'token'      => $token,
    'expires_at' => $expires,
    'user' => [
        'id'               => $user['record_id'],
        'username'         => $user['safesure_users_name'],
        'name'             => $user['name'],
        'email'            => $user['email'],
        'user_type_id'     => $user['user_type_id'],
        'user_type_name'   => $user['user_type_name'],
        'clients_multi'    => $user['clients_multi'],
        'assessor_number'  => $user['assessor_number'],
        'moderator_number' => $user['moderator_number'],
    ]
], 'Login successful');