<?php
declare(strict_types=1);
require __DIR__ . '/config.php';

$data = json_decode(file_get_contents('php://input') ?: '[]', true);
if (!is_array($data)) json_out(400, ['ok' => false, 'error' => 'Invalid JSON']);

$login = isset($data['login']) ? trim((string)$data['login']) : '';
$password = isset($data['password']) ? (string)$data['password'] : '';

if ($login === '' || $password === '') {
  json_out(400, ['ok' => false, 'error' => 'Missing login or password']);
}

$stmt = $pdo->prepare('SELECT id, username, email, password_hash, created_at FROM users WHERE username = ? OR email = ? LIMIT 1');
$stmt->execute([$login, $login]);
$user = $stmt->fetch();

if (!$user || !password_verify($password, (string)$user['password_hash'])) {
  json_out(401, ['ok' => false, 'error' => 'Invalid credentials']);
}

$_SESSION['user_id'] = (int)$user['id'];

json_out(200, [
  'ok' => true,
  'user' => [
    'id' => (int)$user['id'],
    'username' => (string)$user['username'],
    'email' => $user['email'],
    'created_at' => $user['created_at'],
  ]
]);