<?php
require_once __DIR__ . '/../../db/config.php';

class AuthController {

    public function login($email, $password) {
        $pdo = db();
        $stmt = $pdo->prepare("SELECT * FROM users WHERE email = ? AND (role = 'admin' OR role = 'editor')");
        $stmt->execute([$email]);
        $user = $stmt->fetch(PDO::FETCH_ASSOC);

        if ($user && password_verify($password, $user['password'])) {
            session_start();
            $_SESSION['user_id'] = $user['id'];
            $_SESSION['user_name'] = $user['name'];
            $_SESSION['role'] = $user['role'];
            return ['success' => true];
        } else {
            // For security, we use a generic error message.
            // Note: The default password 'ChangeMe123!' from the initial seed needs to be hashed correctly.
            // Use scripts/seed_admin.php or a manual hash generation to set it up.
            return ['success' => false, 'message' => 'Credenciais inválidas ou usuário não autorizado.'];
        }
    }

    public function logout() {
        session_start();
        session_unset();
        session_destroy();
    }

    public static function checkAuth() {
        if (session_status() === PHP_SESSION_NONE) {
            session_start();
        }
        if (!isset($_SESSION['user_id'])) {
            header("Location: " . BASE_URL . "admin/login.php");
            exit();
        }
    }
    
    public static function isAdmin() {
        self::checkAuth();
        if ($_SESSION['role'] !== 'admin') {
            // Redirect to a less privileged page or show an error
            header("Location: " . BASE_URL . "admin/index.php?error=unauthorized");
            exit();
        }
    }
}