<?php
require 'db.php';
require 'auth.php';

header('Content-Type: application/json');

$data = json_decode(file_get_contents('php://input'), true);
$email = strtolower(trim($data['email'] ?? ''));
$password = strval($data['password'] ?? '');

$stmt = $pdo->prepare("
    SELECT u.id, u.email, u.password_hash,
           r.name AS role_name,
           r.can_manage_settings
    FROM users u
    JOIN roles r ON r.id = u.role_id
    WHERE u.email = ?
    LIMIT 1
");
$stmt->execute([$email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);

if (!$user || !password_verify($password, $user['password_hash'])) {
    http_response_code(401);
    echo json_encode(['success' => false, 'error' => 'Invalid credentials']);
    exit;
}

$_SESSION['user'] = [
    'id' => intval($user['id']),
    'email' => $user['email'],
    'role' => $user['role_name'],
    'can_manage_settings' => intval($user['can_manage_settings']),
];

echo json_encode([
    'success' => true,
    'user' => [
        'id' => $_SESSION['user']['id'],
        'email' => $_SESSION['user']['email'],
        'role' => $_SESSION['user']['role'],
        'can_manage_settings' => $_SESSION['user']['can_manage_settings'],
    ]
]);