<?php
// ─── Savuki Drilling — POST /api/auth/login.php ──────────────────────────

define('ROOT', dirname(__DIR__, 2));
require_once ROOT . '/core/DB.php';
require_once ROOT . '/core/Response.php';
require_once ROOT . '/core/Auth.php';

header('Content-Type: application/json');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, OPTIONS');
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') exit;
if ($_SERVER['REQUEST_METHOD'] !== 'POST') Response::error('Method not allowed.', 405);

$username = trim($_POST['username'] ?? '');
$password = $_POST['password'] ?? '';

if (!$username || !$password) {
    Response::error('Username and password are required.');
}

$db   = DB::get();
$user = $db->row(
    "SELECT record_id, username, user_password, user_type, team_id
     FROM   users
     WHERE  LOWER(username) = LOWER(?)",
    [$username]
);

if (!$user || !Auth::verifyPassword($password, $user['user_password'])) {
    Response::error('Invalid username or password.', 401);
}

// Expire any old tokens for this user that are already expired (cleanup)
$db->run("DELETE FROM api_tokens WHERE user_id = ? AND expires_at < NOW()", [$user['record_id']]);

// Create new token — valid for 10 hours
$token      = Auth::generateToken();
$expiresAt  = date('Y-m-d H:i:s', strtotime('+10 hours'));

$db->run(
    "INSERT INTO api_tokens (token, user_id, expires_at) VALUES (?, ?, ?)",
    [$token, $user['record_id'], $expiresAt]
);

Response::ok([
    'token'      => $token,
    'expires_at' => $expiresAt,
    'user'       => [
        'id'        => (int) $user['record_id'],
        'username'  => $user['username'],
        'user_type' => $user['user_type'],
        'team_id'   => $user['team_id'],
    ],
]);