<?php
include 'db_connection.php';
session_start();

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = sanitize_input($_POST['username']);
    $password = sanitize_input($_POST['password']);

    $stmt = $db->prepare("SELECT id, username, password, active FROM User WHERE username = :username");
    $stmt->bindParam(':username', $username);
    $stmt->execute();
    $row = $stmt->fetch(PDO::FETCH_ASSOC);

    if ($row) {
        if ($row['active'] == 1 && password_verify($password, $row['password'])) {
            $_SESSION['username'] = $row['username'];
            $_SESSION['user_id'] = $row['id'];
            // Set cookie
            setcookie('loggedIn', 'true', time() + 600, '/'); // Expires in 10 minutes
            echo json_encode(['success' => true, 'message' => 'Login successful!']);
            exit();
        } else if ($row['active'] == 0) {
            echo json_encode(['success' => false, 'error' => 'Account is not active. Please wait for admin approval.']);
            exit();
        } else {
            echo json_encode(['success' => false, 'error' => 'Invalid username or password.']);
            exit();
        }
    } else {
        echo json_encode(['success' => false, 'error' => 'Invalid username or password.']);
        exit();
    }
} else {
    echo json_encode(['success' => false, 'error' => 'Invalid request method.']);
    exit();
}
?>