<?php
global $db;

try {
    $data = json_decode(file_get_contents("php://input"), true);
    if (!$data || empty($data['email']) || empty($data['password'])) {
        http_response_code(400);
        echo json_encode(['message' => 'E-Mail und Passwort erforderlich']);
        exit;
    }

    $stmt = $db->prepare("SELECT id, email, password_hash, role FROM users WHERE email = :email LIMIT 1");
    $stmt->execute([':email' => $data['email']]);
    $user = $stmt->fetch();

    if (!$user || !password_verify($data['password'], $user['password_hash'])) {
        http_response_code(401);
        echo json_encode(['message' => 'Ungültige Anmeldedaten']);
        exit;
    }

    $_SESSION['user'] = [
        'id' => (int)$user['id'],
        'email' => $user['email'],
        'role' => $user['role'],
    ];

    echo json_encode(['message' => 'Login erfolgreich', 'user' => $_SESSION['user']]);
} catch (Exception $e) {
    error_log("Login error: " . $e->getMessage());
    http_response_code(500);
    echo json_encode(['message' => 'Login fehlgeschlagen']);
}